O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION E. Ghadafi N.P. Smart B. Warinschi Department of Computer Science, University of Bristol Twelfth IMA International Conference on Cryptography and Coding 15 th − 17 th December 2009 P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY O UTLINE ROM PROOFS 1 G ROTH -S AHAI P ROOFS 2 I MPLEMENTATION 3 B ATCH V ERIFICATION 4 R ESULTS 5 S UMMARY 6 P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY O UTLINE ROM PROOFS 1 G ROTH -S AHAI P ROOFS 2 I MPLEMENTATION 3 B ATCH V ERIFICATION 4 R ESULTS 5 S UMMARY 6 P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY O UTLINE ROM PROOFS 1 G ROTH -S AHAI P ROOFS 2 I MPLEMENTATION 3 B ATCH V ERIFICATION 4 R ESULTS 5 S UMMARY 6 P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY O UTLINE ROM PROOFS 1 G ROTH -S AHAI P ROOFS 2 I MPLEMENTATION 3 B ATCH V ERIFICATION 4 R ESULTS 5 S UMMARY 6 P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY O UTLINE ROM PROOFS 1 G ROTH -S AHAI P ROOFS 2 I MPLEMENTATION 3 B ATCH V ERIFICATION 4 R ESULTS 5 S UMMARY 6 P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY O UTLINE ROM PROOFS 1 G ROTH -S AHAI P ROOFS 2 I MPLEMENTATION 3 B ATCH V ERIFICATION 4 R ESULTS 5 S UMMARY 6 P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY N ON -I NTERACTIVE P ROOFS "A proof is whatever convinces me.", Shimon Even. P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION 1 / 22
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY A PPLICATIONS OF Z ERO -K NOWLEDGE P ROOFS Example applications: Anonymous Credentials: Client proves he possesses the required credentials without revealing them. Online Voting: Voter proves to the server that he has voted correctly without revealing his actual vote. Signature Schemes, Oblivious Transfer , CCA-2 Encryption Schemes, ... P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION 2 / 22
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY H ISTORY OF NIZK P ROOFS Blum-Feldman-Micali, 1988. Damgard, 1992. Killian-Petrank, 1998. Feige-Lapidot-Shamir, 1999. De Santis-Di Crescenzo-Persiano, 2002. Groth-Sahai, 2008. P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION 3 / 22
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY O UR C ONTRIBUTION Efficient implementations of NIZK proofs for Circuit SAT in the ROM model using Sigma-Protocols and other optimizations (e.g. Computing shared monomials, etc. ). Efficient implementations of NIZK proofs for Circuit SAT in the CRS model using Groth-Sahai proofs. P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION 4 / 22
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY I MPLEMENTATION (R ATIONALE ) Why Circuits ??? Every NP problem could be reduced to Circuit SAT. Problem: Circuit Size ??? Solution: Efficient implementations would help solve some of this problem. Other techniques that does not require reduction to NP are applicable to limited languages (i.e. You cannot prove much with them). P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION 5 / 22
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY ROM P ROOFS - Σ P ROTOCOLS Prover Verifier Public Parameters, Public Parameters, ( w , x ) ( x ) P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION 6 / 22
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY ROM P ROOFS - Σ P ROTOCOLS Prover Verifier Public Parameters, Public Parameters, ( w , x ) ( x ) Commitment − − − − − − − − − − − − − − − − − − − − − → P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION 6 / 22
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY ROM P ROOFS - Σ P ROTOCOLS Prover Verifier Public Parameters, Public Parameters, ( w , x ) ( x ) Commitment − − − − − − − − − − − − − − − − − − − − − → Challenge ← − − − − − − − − − − − − − − − − − − − P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION 6 / 22
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY ROM P ROOFS - Σ P ROTOCOLS Prover Verifier Public Parameters, Public Parameters, ( w , x ) ( x ) Commitment − − − − − − − − − − − − − − − − − − − − − → Challenge ← − − − − − − − − − − − − − − − − − − − Response − − − − − − − − − − − − − − − − − − − − → P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION 6 / 22
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY ROM P ROOFS - Σ P ROTOCOLS Prover Verifier Public Parameters, Public Parameters, ( w , x ) ( x ) Commitment − − − − − − − − − − − − − − − − − − − − − → Challenge ← − − − − − − − − − − − − − − − − − − − Response − − − − − − − − − − − − − − − − − − − − → ⇓ Accept or Reject P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION 6 / 22
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY ROM P ROOFS - Σ P ROTOCOLS Prover Verifier Public Parameters, Public Parameters, ( w , x ) ( x ) Commitment − − − − − − − − − − − − − − − − − − − − − → Challenge ← − − − − − − − − − − − − − − − − − − − Response − − − − − − − − − − − − − − − − − − − − → ⇓ Accept or Reject The interactive proof could be made non-interactive using the Fiat-Shamir transformation. The challenge is now: H (Public parameters || Commitment) P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION 6 / 22
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY G ROTH -S AHAI P ROOFS Symmetric External Diffie-Hellman Assumption Proofs: Setup: f A 1 × A 2 → A T P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION 7 / 22
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY G ROTH -S AHAI P ROOFS Symmetric External Diffie-Hellman Assumption Proofs: Setup: f A 1 × A 2 → A T F B 1 × B 2 − → B T P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION 7 / 22
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY G ROTH -S AHAI P ROOFS Symmetric External Diffie-Hellman Assumption Proofs: Setup: f A 1 × A 2 → A T ι 1 ↓↑ ρ 1 ι 2 ↓↑ ρ 2 ι T ↓↑ ρ T F B 1 × B 2 − → B T Properties: ∀ x ∈ A 1 , ∀ y ∈ A 2 : F ( ι 1 ( x ) , ι 2 ( y )) = ι T ( f ( x , y )) , ∀X ∈ B 1 , ∀Y ∈ B 2 : f ( p 1 ( X ) , p 2 ( Y )) = p T ( F ( X , Y )) . Proof: Consists of Θ ∈ B 1 and Π ∈ B 2 P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION 7 / 22
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY G ROTH -S AHAI P ROOFS Product Proof: Prove that one value is the product of other two values. x 1 ( 1 ) · � x 2 ( 1 ) − � x 1 ( 2 ) = 0. Equation: � Bit Proof: Prove that a commitment hides 0 or 1. x 1 ( 1 ) · � x 2 ( 1 ) − � x 1 ( 1 ) = 0. Equation: � Equality Proof: Prove that two different commitments hide the same value. x 2 ( 1 ) − � x 1 ( 1 ) = 0. Equation: � P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION 8 / 22
O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY I MPLEMENTATION I : The circuit input wires { w 1 , ..., w 7 } O : The circuit final output wires { w 13 } G The set of gates { g 1 , ..., g 6 } : M on : The set of monomials (i.e. products needed in the QEq Method) PW : The set of proof wires (i.e. wires shared between monomials) P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION 9 / 22
Recommend
More recommend
![Interactive Proofs Lecture 18 AM 1 Interactive Proofs 2 Interactive Proofs IP[k] 2](https://c.sambuz.com/697105/interactive-proofs-s.jpg)
