Efficient Modular NIZK Arguments from Shift and Product Speaker: Bingsheng Zhang 1 Joint work with Prastudy Fauzi 2 and Helger Lipmaa 2 1. National and Kapodistrian University of Athens, Greece 2. University of Tartu, Estonia S CANS 2013, Paraty, Brazil
Outline S NIZK Background S The New Succinct Commitment Scheme S The Improved Hadamard Product Argument S The Shift and Rotation Arguments S Applications S Conclusion
Non-interactive Zero-knowledge (NIZK) Argument Statement: x ∈ L Proof: ψ
Constant-Size NIZK Arguments S Constant-size NIZK argument for CIRCUIT-SAT was first proposed by Groth [ASIACRYPT 2010]. O ( n 2 ) S CRS size is . S Lipmaa then improved Groth’s NIZK argument for CIRCUIT-SAT [TCC 2012]. O ( n 1+ o (1) ) S CRS size is . S Gennaro et al. proposed another constant-size NIZK argument for CIRCUIT-SAT based on quadratic span programs [EUROCRYPT 2013]. Θ ( n log 3 n ) S Prover’s computation complexity is . S Lipmaa proposed a better span program based NIZK argument with prover’s computation [ASIACRYPT 2013]. Θ ( n log 2 n )
Modular NIZK Arguments S Hadamard Product Arguments S Show that the given commitments of vectors: a = ( a 1 , a 2 , . . . , a n ) b = ( b 1 , b 2 , . . . , b n ) c = ( c 1 , c 2 , . . . , c n ) satisfies that a � b = c := ( c 1 = a 1 b 1 , . . . , c n = a n b n ) S (Public) Permutation Arguments S Show that the given commitments of vectors: a = ( a 1 , a 2 , . . . , a n ) b = ( b 1 , b 2 , . . . , b n ) satisfies that b = π ( a ) := ( b 1 = a π (1) , . . . , b n = a π ( n ) ) where is a public permutation π
Modular NIZK Arguments S Shift Arguments (this work) S Show that the given commitments of vectors: a = ( a 1 , a 2 , . . . , a n ) b = ( b 1 , b 2 , . . . , b n ) satisfies that ( a 1 , . . . , a n ) = ( b ξ +1 , . . . , b n , 0 , . . . , 0) S Rotation Arguments (this work) S Show that the given commitments of vectors: a = ( a 1 , a 2 , . . . , a n ) b = ( b 1 , b 2 , . . . , b n ) ( a 1 , . . . , a n ) = ( b ξ +1 , . . . , b n , b 1 , . . . , b ξ ) satisfies that
Comparison of NIZK Arguments Prover’s Verifier’s Scheme |CRS| |Argument| computation computation Θ ( n ) mul + Θ ( n 2 ) Θ (1) Θ ( n 2 ) exp [Gro10] Θ (1) pairing Θ ( n 2 ) add + Θ ( n ) exp + Θ ( n 1+ o (1) ) Θ (1) [Lip12] Θ ( n 1+ o (1) ) exp Θ (1) pairing Θ ( n ) mul + Θ ( n 1+ o (1) ) Θ ( n 1+ o (1) log n ) mul This work Θ (1) Θ (1) pairing
Power Knowledge of Exponent Assumption S Gentry and Wichs showed that succinct NIZK arguments cannot be based on falsifiable assumptions [STOC 2011]. S Knowledge of Exponent Assumption [Dam91] S Given , if outputs such that ( g, h := g s ) ( C, D ) D = C s A then there exists an extractor that can access the random X tape of and output such that . C = g c , D = h d A ( c, d ) S Power Knowledge of Exponent Assumption ( g i := g σ i , h i := g s σ i ) i ∈ [ n ] S Given , if outputs s.t. A ( C, D ) D = C s then there exists an extractor that can access the random X n n tape of and output s.t. . ( c i , d i ) i ∈ [ n ] A Y g c i Y h d i C = i , D = i i =1 i =1
The New Succinct Vector Commitment Scheme S System parameters: and Λ = { λ 1 , . . . , λ n } λ i v > max i S Key generation: set and α ) σ λ i ( h, ˆ α ) σ v h ) ← ( g, g ˆ g λ i ) ← ( g, g ˆ ( g λ i , ˆ g λ i ) i ∈ [ n ] , h, ˆ S Return and ck := (( g λ i , ˆ h ) td := σ S Commit : pick a = ( a 1 , . . . , a n ) r ← Z p n S Return c ) := ( h, ˆ Y h ) r · g λ i ) a i ( c, ˆ ( g λ i , ˆ i =1 S Trapdoor commit: pick ; return c ) := ( h, ˆ r ← Z p ( c, ˆ h ) r n X S Trapdoor open to : set a i σ λ i − v a = ( a 1 , . . . , a n ) r td ← r − S Return i =1 ( a , r td )
The Improved Hadamard Product Argument S Main idea: r a σ v + P n i =1 a i σ λ i S Let A := Com ( a ; r a ) = g 1 r b σ v + P n i =1 b i σ λ i B 2 := Com ( b ; r b ) = g 2 i =1 c i σ λ i r c σ v + P n C := Com ( c ; r c ) = g 1 P n i =1 σ λ i D := Com ( 1 ; 0) = g 2 S Goal: to enable e ( A, B 2 ) /e ( C, D ) = e ( g 1 , ψ ) S From left side we have: log e ( g 1 ,g 2 ) ( e ( A, B 2 ) /e ( C, D )) = n n n n ( r a σ v + a i σ λ i )( r b σ v + b i σ λ i ) − ( r c σ v + X X X X c i σ λ i )( σ λ i ) i =1 i =1 i =1 i =1 S So the CRS is designed to allow the prover to compute all the monomials except the ones associated with . a i b i − c i
The Improved Hadamard Product Argument S Speed up the prover’s computation: S FFT-based polynomial multiplication techniques. S Pippenger’s multi-exponentiation algorithms. u ( x ) v ( x ) u ( x ) · v ( x ) n Y g x i i i =1
The Shift-by- ξ Argument S Main idea: r a σ v + P n i =1 a i σ λ i S Let A := Com ( a ; r a ) = g 1 r b σ v + P n i =1 b i σ λ i B := Com ( b ; r b ) = g 1 e ( A, g σ ξ S Goal: to enable 2 ) /e ( B, g 2 ) = e ( g 1 , ψ ) F ( σ ) := log e ( g 1 ,g 2 ) ( e ( A, g σ ξ S We have: 2 ) /e ( B, g 2 )) n n r a σ v + ξ + X X a i σ λ i + ξ − r b σ v − b i σ λ i = i =1 i =1 S If ( a 1 , . . . , a n ) = ( b ξ +1 , . . . , b n , 0 , . . . , 0) ξ n S then b i σ λ i + X X b i ( σ λ i − ξ + ξ − σ λ i ) + r a σ v + ξ − r b σ v F ( σ ) = − i =1 i = ξ +1 S So the CRS is designed to allow the prover to compute them.
The Rotation-by- ξ Argument S Main idea: r a σ v + P n i =1 a i σ λ i S Let A := Com ( a ; r a ) = g 1 r b σ v + P n i =1 b i σ λ i B := Com ( b ; r b ) = g 1 e ( A, g σ ξ S Goal: to enable 2 ) /e ( B, g 2 ) = e ( g 1 , ψ ) F ( σ ) := log e ( g 1 ,g 2 ) ( e ( A, g σ ξ S We have: 2 ) /e ( B, g 2 )) n n r a σ v + ξ + X a i σ λ i + ξ − r b σ v − X b i σ λ i = i =1 i =1 ( a 1 , . . . , a n ) = ( b ξ +1 , . . . , b n , b 1 , . . . , b ξ ) S If ξ n S then X X b i ( σ λ n − ξ + i + ξ − σ λ i ) + b i ( σ λ i − ξ + ξ − σ λ i ) + r a σ v + ξ − r b σ v F ( σ ) := i =1 i = ξ +1 S So the CRS is designed to allow the prover to compute them.
Applications S Improved range argument S Set partition argument S Subset-sum argument S Decision-knapsack argument
Improved range argument S Simplified Version ` X S Basic idea: show by showing a ∈ [0 , 2 ` +1 ) b i 2 i , b i ∈ { 0 , 1 } a = S Steps: i =0 1. Commit A = Com ( a ; r a ) , B = Com (( b 0 , . . . , b ` ); r b ) S 2. Show that [ b 0 , . . . , b ` ] � [ b 0 , . . . , b ` ] = [ b 0 , . . . , b ` ] S [ b 0 , . . . , b ` ] � [2 0 , . . . , 2 ` ] = [ c 0 , . . . , c ` ] 3. Set and prove that S 0 1 ` X X X 4. Set [ d 0 , d 1 , . . . , d ` ] := [ c j ] c j , c j , . . . , S j =0 j =0 j =0 5. Set and prove S [ e 0 , e 1 , . . . , e ` ] := [0 , d 0 , . . . , d ` − 1 ] [ e 0 , e 1 , . . . , e ` ] + [ c 0 , c 1 , . . . , c ` ] := [ d 0 , d 1 , . . . , d ` ] 6. Show that S 7. Show that [ d 0 , d 1 , . . . , d ` ] � [0 , 0 , . . . , 1] = [0 , 0 , . . . , a ] S
Set Partition Argument S Set partition problem S Given S = ( s 1 , . . . , s n ) , s i ∈ Z p X X S Find a set such that V ⊂ S x = y x ∈ V y ∈ S \ V S Argument steps: Define b i = 1 for s i ∈ V and b j = − 1 for s j ∈ S \ V S 1. Commit and show that [ b 1 , . . . , b n ] � [ b 1 , . . . , b n ] = [1 , . . . , 1] S 2. Commit and show that [ s 1 , . . . , s n ] � [ b 1 , . . . , b n ] = [ c 1 , . . . , c n ] 0 1 n S 4. Set X X X [ d 0 , d 1 , . . . , d n ] := [ c j ] c j , c j , . . . , j =0 j =0 j =0 S 5. Set and prove [ e 0 , e 1 , . . . , e n ] := [0 , d 0 , . . . , d n − 1 ] S 6. Show that [ e 0 , e 1 , . . . , e n ] + [ c 0 , c 1 , . . . , c n ] = [ d 0 , d 1 , . . . , d n ] S 7. Show that [ d 1 , . . . , d n ] � [0 , . . . , 0 , 1] = [0 , . . . , 0]
Subset-sum Argument S Subset-sum problem S Given and the target S = ( s 1 , . . . , s n ) , s i ∈ Z p t ∈ Z p S Find a set such that X V ⊂ S x = t x ∈ V S Argument steps: Define b i = 1 for s i ∈ V and b j = 0 for s j ∈ S \ V S 1. Commit and show that [ b 0 , . . . , b n ] � [ b 0 , . . . , b n ] = [ b 0 , . . . , b n ] S 2. Commit and show that [ s 1 , . . . , s n ] � [ b 1 , . . . , b n ] = [ c 1 , . . . , c n ] 0 1 n S 4. Set X X X [ d 0 , d 1 , . . . , d n ] := [ c j ] c j , c j , . . . , j =0 j =0 j =0 S 5. Set and prove [ e 0 , e 1 , . . . , e n ] := [0 , d 0 , . . . , d n − 1 ] S 6. Show that [ e 0 , e 1 , . . . , e n ] + [ c 0 , c 1 , . . . , c n ] = [ d 0 , d 1 , . . . , d n ] S 7. Show that [ d 1 , . . . , d n ] � [0 , . . . , 0 , 1] = [0 , . . . , 0 , t ]
Recommend
More recommend