Short Pairing-basedNon-interactive Zero-Knowledge Arguments

Jens Groth

University College London

Motivation

Voter Official

We can only accept correctly formatted

votes

Attaching encrypted vote to this e-mail

Non-interactive zero-knowledge proof

Voter Official

Ok, we will count your vote

Attaching encrypted vote to this e-mail+ NIZK argument

that correctly formatted

Soundness:Vote is correct

Zero-knowledge:Vote remains secret

Non-interactive zero-knowledge argument

Prover VerifierSoundness:Statement is true

Zero-knowledge:Nothing but truth revealed

Common reference string

Proof:

(x,w)RL

Statement: xL

Applications of NIZK arguments

• Ring signatures• Group signatures• Anonymous credentials• Verifiable encryption• Voting• ...

Our contribution

• Common reference string with special distribution • Statement: C is satisfiable circuit• Very efficient verifier• Sub-linear (constant) size NIZK argument• Not Fiat-Shamir heuristic (no random oracle)

• Perfect completeness• Computational soundness• Perfect zero-knowledge

Adaptive soundness:Adversary sees CRS before attempting to cheat with false (C,)

Pairings

• G, GT groups of prime order p

• Bilinear map e: G G GT

– e(ax,by) = e(a,b)xy

– e(g,g) generates GT if g is non-trivial

• Group operations, deciding group membership, computing bilinear map are efficiently computable

Assumptions

• Power knowledge of exponent assumption (q-PKE):Given (g,gx,…,gxq,g,gx,…,gxq) hard to compute (c,c) without knowing a0,…,aq such that

c = ga0ga1x…gaqxq

• Computational power Diffie-Hellman (q-CPDH):For all j hard to compute gxj given

(g,gx,…,gxq,g,gx,…,gxj-1,gxj+1,…,gxq)

• Both assumptions hold in generic group model

Comparison

CRS Size Prover comp. Verifier comp.

Kilian-Petrank (Nk) group (Nk) group (Nk) expo (Nk) mult

Trapdoor permutations Stat. Sound Comp. ZK

GOS O(1) group O(N) group O(N) expo O(N) pairing

Subgroup decision Perfect sound Comp. ZK

Abe-Fehr O(1) group O(N) group O(N) expo O(N) pairing

Dlog & knowledge of expo. Comp. sound Perfect ZK

This work O(N2) group O(1) group O(N2) mult O(N) mult

q-PKE and q-CPDH Comp. sound Perfect ZK

This work O(N2/3) group O(N2/3) group O(N4/3) mult O(N) mult

q-PKE and q-CPDH Comp. sound Perfect ZK

Interactive + O(√N) group O(√N) group O(N) mult O(N) mult

Fiat-Shamir Dlog and random oracle Comp. sound Perfect ZK

Knowledge commitments

• Commitment key: ck=(g,gx,…,gxq,g,gx,…,gxq)

• Commitment to (a1,…,aq) using randomness rZp

c = (g)r(gx)a1…(gxq)aq ĉ = (g)r(gx)a1…(gxq)aq

• Verifying commitment: e(c,g) = e(ĉ,g) • Knowledge: q-PKE assumption says impossible to

create valid (c,ĉ) without knowing r,a1,…,aq

Homomorphic property

• c = (g)r(gx)a1…(gxq)aq

log(c) = r+a1x+…+aqxq

• Homomorphic

commit(a1,…,aq;r) ∙ commit(b1,…,bq;s)= commit(a1+b1,…,aq+bq;r+s)

(r+aixi) + (s+bixi) = r+s+(ai+bi)xi

Tools

• Constant size knowledge commitments for tuples of elements (a1,…,aq) (Zp)q

• Homomorphic so we can add committed tuplescom(a1,…,aq)∙com(b1,…,bq) = com(a1+b1,…,aq+bq)

• NIZK argument for multiplicative relationship com(a1,…,aq) com(b1,…,bq) com(a1b1,…,aqbq)

• NIZK argument for known permutation com(a1,…,aq) com(a(1),…,a(q))

Circuit with NAND-gates

• commit(a1,…,aN,b1,…,bN)

• commit(b1,…,bN,0,…..,0)

• commit(u1,…,uN,0,…..,0)

• NIZK argument for uN = 1

• NIZK argument for everything else consistent

a1 a2

a3

a4

b1 b2

b3

b4

u1

u3

u2

u4

Consistency

• Need to show valid inputs a1,…,aN,b1,…bN{0,1}

• NIZK argument for multiplicative relationship

commit(a1,…,aN,b1,…bN) commit(a1,…,aN,b1,…bN) commit(a1,…,aN,b1,…bN)

shows a1a1=a1, …, aNaN=aN, b1b1=b1, …, bNbN=bN

• Only possible if a1{0,1}, …, aN{0,1}, b1{0,1}, …, bN{0,1}

Consistency

• Homomorphic property givescommit(1,…,1,0,…,0) / commit(u1,…,uN,0,…,0)= commit(1-u1,…,1-uN,0,…,0)

• NIZK argument for multiplicative relationship incommit(a1,…,aN,b1,…,bN) commit(b1,…,bN,0,…,0)

commit(1-u1,…,1-uN,0,…,0)shows 1-u1=a1b1,…,1-uN=aNbN

• This proves all NAND-gates are respected u1=(a1b1),…,uN=(aNbN)

Consistency

• Using NIZK arguments for permutation we prove consistency of wires, i.e., whenever ai and bj correspond to the same wire ai = bj

• We refer to the full paper for the details

Circuit with NAND-gates

• commit(a1,…,aN,b1,…,bN)

• commit(b1,…,bN,0,…..,0)

• commit(u1,…,uN,0,…..,0)

• NIZK argument for uN = 1

• NIZK argument for everything else consistent

a1 a2

a3

a4

b1 b2

b3

b4

u1

u3

u2

u4

Conclusion

• NIZK argument of knowledge– perfect completeness– perfect zero-knowledge– computational soundness

• Short and efficient to verify

CRS Argument Prover comp. Verifier comp.

Minimal argument O(N2) O(1) O(N2) mults O(N) mults

Balanced sizes O(N2/3) O(N2/3) O(N4/3) mults O(N) mults

CRS O(N2(1-ε)) and argument O(Nε)

q-PKE and q-CPDH

Thanks

Full paper available at

www.cs.ucl.ac.uk/staff/J.Groth