groth sahai proof system
play

Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure - PowerPoint PPT Presentation

Apr 06, 2023 •138 likes •879 views

Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure Jan. 21st 2011 O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 1 / 38 Contents Introduction 1 Groth-Sahai proof system 2 Non-Interactive Zero-Knowledge

  1. Groth-Sahai proof system Olivier Blazy ´ Ecole normale sup´ erieure Jan. 21st 2011 O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 1 / 38

  2. Contents Introduction 1 Groth-Sahai proof system 2 Non-Interactive Zero-Knowledge proofs Bilinear maps Groth-Ostrovsky-Sahai Groth-Sahai (2008) O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 2 / 38

  3. Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Rackoff. � Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting . . . O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 3 / 38

  4. Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Rackoff. � Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting . . . O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 3 / 38

  5. Zero-Knowledge Proof Systems Introduced in 1985 by Goldwasser, Micali and Rackoff. � Reveal nothing other than the validity of assertion being proven Used in many cryptographic protocols Anonymous credentials Anonymous signatures Online voting . . . O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 3 / 38

  6. Zero-Knowledge Interactive Proof Alice Bob interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S . Completeness: if S is true, the honest verifier will be convinced of this fact 1 Soundness: if S is false, no cheating prover can convince the honest verifier 2 that it is true Zero-knowledge: if S is true, no cheating verifier learns anything other than 3 this fact. O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 4 / 38

  7. Zero-Knowledge Interactive Proof Alice Bob interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S . Completeness: if S is true, the honest verifier will be convinced of this fact 1 Soundness: if S is false, no cheating prover can convince the honest verifier 2 that it is true Zero-knowledge: if S is true, no cheating verifier learns anything other than 3 this fact. O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 4 / 38

  8. Non-Interactive Zero-Knowledge Proof Alice Bob non-interactive method for one party to prove to another that a statement S is true, without revealing anything other than the veracity of S . Completeness: S is true � verifier will be convinced of this fact 1 Soundness: S is false � no cheating prover can convince the verifier that S 2 is true Zero-knowledge: S is true � no cheating verifier learns anything other than 3 this fact. O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 5 / 38

  9. Non-Interactive Witness-Indistinguishable Proof Alice Bob non-interactive method for one party to prove to another that a statement S is true, without revealing which witness was used. Completeness: S is true � verifier will be convinced of this fact 1 Soundness: S is false � no cheating prover can convince the verifier that S 2 is true Witness indistinguishability: S is true � no cheating verifier can 3 distinguish between two provers that use different witnesses. O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 6 / 38

  10. History of NIZK Proofs Inefficient NIZK Blum-Feldman-Micali, 1988. ... De Santis-Di Crescenzo-Persiano, 2002. Alternative: Fiat-Shamir heuristic, 1986: interactive ZK proof � NIZK But there are examples of insecure Fiat-Shamir transformation Groth-Ostrovsky-Sahai, 2006. Groth-Sahai, 2008. O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 7 / 38

  11. History of NIZK Proofs Inefficient NIZK Blum-Feldman-Micali, 1988. ... De Santis-Di Crescenzo-Persiano, 2002. Alternative: Fiat-Shamir heuristic, 1986: interactive ZK proof � NIZK But there are examples of insecure Fiat-Shamir transformation Groth-Ostrovsky-Sahai, 2006. Groth-Sahai, 2008. O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 7 / 38

  12. History of NIZK Proofs Inefficient NIZK Blum-Feldman-Micali, 1988. ... De Santis-Di Crescenzo-Persiano, 2002. Alternative: Fiat-Shamir heuristic, 1986: interactive ZK proof � NIZK But there are examples of insecure Fiat-Shamir transformation Groth-Ostrovsky-Sahai, 2006. Groth-Sahai, 2008. O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 7 / 38

  13. History of NIZK Proofs Inefficient NIZK Blum-Feldman-Micali, 1988. ... De Santis-Di Crescenzo-Persiano, 2002. Alternative: Fiat-Shamir heuristic, 1986: interactive ZK proof � NIZK But there are examples of insecure Fiat-Shamir transformation Groth-Ostrovsky-Sahai, 2006. Groth-Sahai, 2008. O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 7 / 38

  14. Applications of NIZK Proofs Fancy signature schemes group signatures ring signatures traceable signatures . . . Efficient non-interactive proof of correctness of shuffle Non-interactive anonymous credentials CCA-2-secure encryption schemes Identification E-voting E-cash . . . O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 8 / 38

  15. Composite order bilinear structure: What ? ( e , G , G T , g , n ) bilinear structure: G , G T multiplicative groups of order n = pq n = RSA integer � g � = G e : G × G → G T � e ( g , g ) � = G T e ( g a , g b ) = e ( g , g ) ab , a , b ∈ Z  deciding group membership,   group operations, efficiently computable.   bilinear map O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 9 / 38

  16. Composite order bilinear structure: Why ? Deciding Diffie-Hellman tuples: given ( g , g a , g b , g c ) ∈ G 4 1 ⇒ e ( g a , g b ) = e ( g , g c ) c = ab ⇐ If h ∈ G q : 2 ∀ v ∈ G , e ( h , v ) q = 1 e ( g a h b , g ) q = e ( g , g ) aq Applications: “Somewhat homomorphic” encryption, Traitor tracing, Signatures, Attribute-based encryption, Fully secure HIBE, . . . O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 10 / 38

  17. Composite order bilinear structure: Why ? Deciding Diffie-Hellman tuples: given ( g , g a , g b , g c ) ∈ G 4 1 ⇒ e ( g a , g b ) = e ( g , g c ) c = ab ⇐ If h ∈ G q : 2 ∀ v ∈ G , e ( h , v ) q = 1 e ( g a h b , g ) q = e ( g , g ) aq Applications: “Somewhat homomorphic” encryption, Traitor tracing, Signatures, Attribute-based encryption, Fully secure HIBE, . . . O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 10 / 38

  18. Composite order bilinear structure: Why ? Deciding Diffie-Hellman tuples: given ( g , g a , g b , g c ) ∈ G 4 1 ⇒ e ( g a , g b ) = e ( g , g c ) c = ab ⇐ If h ∈ G q : 2 ∀ v ∈ G , e ( h , v ) q = 1 e ( g a h b , g ) q = e ( g , g ) aq Applications: “Somewhat homomorphic” encryption, Traitor tracing, Signatures, Attribute-based encryption, Fully secure HIBE, . . . O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 10 / 38

  19. Boneh-Goh-Nissim Encryption Scheme Public key: ( e , G , G T , n ) bilinear structure with n = pq g ∈ G , h ∈ G q . Secret key: p , q Encryption: c = g m h r ( r $ ← Z n ) Decryption: c q = ( g m h r ) q = g mq h qr = ( g q ) m (+ DL) IND-CPA-secure under the: Subgroup Membership Assumption Hard to distinguish h ∈ G q from random h of order n O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 11 / 38

  20. Boneh-Goh-Nissim Commitment Scheme Public key: ( e , G , G T , n = pq ) bilinear structure g ∈ G , h ∈ G q . Commitment: c = g m h r ( r $ ← Z n ) Perfectly binding: unique m mod p Computationally hiding: indistinguishable from h of order n Somewhat homomorphic properties: ( g a h r ) · ( g b h s ) = g a + b h r + s e ( g a h r , g b h s ) e ( g a , g b ) e ( h r , g b ) e ( g a , h s ) e ( h r , h s ) = e ( g , g ) ab e ( h , g as + rb h rs ) = O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 12 / 38

  21. Groth-Ostrovsky-Sahai: NIZK Proof for Circuit SAT Groth, Ostrovsky and Sahai (2006) Perfect completeness, perfect soundness, computational zero-knowledge for NP Common reference string: O ( k ) bits Proof: O ( | C | k ) bits Circuit-SAT is NP-complete w 1 w 4 w 2 1 w 3 Idea: Commit w i using BGN encryption Prove the validity using homomorphic properties O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 13 / 38

  22. NIZK Proof for Circuit SAT c 4 = g w 4 h r 4 g w 1 h r 1 = c 1 g w 2 h r 2 = c 2 g 1 g w 3 h r 3 = c 3 Prove w i ∈ { 0 , 1 } for i ∈ { 1 , 2 , 3 , 4 } Prove w 4 = ¬ ( w 1 ∧ w 2 ) Prove 1 = ¬ ( w 3 ∧ w 4 ) O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 14 / 38

  23. Proof for c Containing 0 or 1 w mod p ∈ { 0 , 1 } ⇐ ⇒ w ( w − 1) = 0 mod p For c = g w h r we have e ( c , cg − 1 ) e ( g w h r , g w − 1 h r ) = e ( g w , g w − 1 ) e ( h r , g w − 1 ) e ( g w , h r ) e ( h r , h r ) = e ( g , g ) w ( w − 1) e ( h , ( g 2 w − 1 h r ) r ) = � �� � π π = g 2 w − 1 h r = proof that c contains 0 or 1 mod p . ( c detemines w uniquely mod p since ord ( h ) = q ) Randomizable proof ! O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 15 / 38

Recommend

The Resolution Proof System in Propositional Logic While the Hilbert proof system has the

The Resolution Proof System in Propositional Logic While the Hilbert proof system has the

The Resolution Proof System in Propositional Logic While the Hilbert proof system has the property that it reflects the methods by which humans commonly do mathematics, it is ill suited for use in automated reasoning, because of the infinite

590 views • 41 slides
EECS 290S: Network Information Flow Anant Sahai David Tse Logistics Anant Sahai: 267 Cory

EECS 290S: Network Information Flow Anant Sahai David Tse Logistics Anant Sahai: 267 Cory

EECS 290S: Network Information Flow Anant Sahai David Tse Logistics Anant Sahai: 267 Cory (office hours in 258 Cory), sahai@eecs. Office hours: Mon 4-5pm and Tue 2:30-3:30pm. David Tse, 257 Cory (enter through 253 Cory), dtse@eecs.

532 views • 18 slides
A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte

A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte

Introduction Proof System Applications Experiments A Proof System for Unsolvable Planning Tasks Salom e Eriksson Gabriele R oger Malte Helmert University of Basel, Switzerland ICAPS 2018 Introduction Proof System Applications

325 views • 21 slides
Cryptography with Tamperable and Leaky Memory Yael Tauman Kalai Bhavana Kanukurthi Amit Sahai

Cryptography with Tamperable and Leaky Memory Yael Tauman Kalai Bhavana Kanukurthi Amit Sahai

Cryptography with Tamperable and Leaky Memory Yael Tauman Kalai Bhavana Kanukurthi Amit Sahai MSR UCLA UCLA Leakage Resilient Cryptography [Rivest1997, Boyko1999, Canetti-Dodis-Halevi-Kushilevitz-Sahai2000, Ishai-Sahai-Wagner2003, Micali-

716 views • 14 slides
Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and Interactions September 20, 2016 1/47 Introduction to SAT and QBF Proof Checking Clausal Proof Systems for SAT and QBF Abstract Proof System for SAT

924 views • 67 slides
MG IPM 2019 Page 1 The $5 hole Start at the Nursery Planting the Plants Improper planting

MG IPM 2019 Page 1 The $5 hole Start at the Nursery Planting the Plants Improper planting

Integrated Pest Integrated Pest Management Management How did we get here? Problems will come up! Oregon IPM There is no silver bullet Gardening is a process Claudia Groth MG Program Instructor claudia.groth.us@gmail.com Good Garden

248 views • 12 slides
The bank-lending channel: The IS-BL model Christian Groth University of Copenhagen November 21,

The bank-lending channel: The IS-BL model Christian Groth University of Copenhagen November 21,

The bank-lending channel: The IS-BL model Christian Groth University of Copenhagen November 21, 2016 C. Groth (University of Copenhagen) 11/2016 1 / 10 directly granted f inancial saving credit credit indirect credit intermediated credit

110 views • 10 slides
3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

Griffith University 3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof by construction 2. Proof by equivalence 3. Proof by contradiction 4. Proof by case analysis 5. Proof by induction

549 views • 11 slides
Explicit vs Implicit CommunicaGon in Control Anant Sahai UC

Explicit vs Implicit CommunicaGon in Control Anant Sahai UC

Explicit vs Implicit CommunicaGon in Control Anant Sahai UC Berkeley Joint with Se Yong Park and Pulkit Grover Thanks to NSF for funding this

1.03k views • 46 slides
Arend Proof Assistant Assisted Pegagogy A graphical proof assistant for undergraduate computer

Arend Proof Assistant Assisted Pegagogy A graphical proof assistant for undergraduate computer

Background Proof assistants in education Arend System description Implementation Future work Arend Proof Assistant Assisted Pegagogy A graphical proof assistant for undergraduate computer science education Andrew V. Clifton

564 views • 52 slides
The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport INRIA

The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport INRIA

The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport INRIA Nancy & INRIA-MSR Joint Centre, France Amir Pnueli Memorial Symposium New York University, May 8, 2010 The TLA + proof system Stephan Merz (INRIA

646 views • 25 slides
The Nuprl Proof Development System Christoph Kreitz Department of Computer Science, Cornell

The Nuprl Proof Development System Christoph Kreitz Department of Computer Science, Cornell

The Nuprl Proof Development System Christoph Kreitz Department of Computer Science, Cornell University Ithaca, NY 14853 http://www.nuprl.org The Nuprl Project at Computational formal logics Type Theory Proof &

1.24k views • 93 slides
Updatable and Universal Common Reference Strings with Applications to zk-SNARKs Jens Groth,

Updatable and Universal Common Reference Strings with Applications to zk-SNARKs Jens Groth,

Updatable and Universal Common Reference Strings with Applications to zk-SNARKs Jens Groth, Markulf Kohlweiss, Mary Maller, Sarah Meiklejohn, Ian Miers. Crypto - 23/08/2018 Our Goal Find a better method than trusted setups for generating the

889 views • 59 slides
Lars Groth Master in Dr. oecon., NHH organizational Norwegian School sociology, UiO of

Lars Groth Master in Dr. oecon., NHH organizational Norwegian School sociology, UiO of

Lars Groth Master in Dr. oecon., NHH organizational Norwegian School sociology, UiO of Economics 1970 1980 1990 2000 2010 2020 Prof. II Nylands Morgen- Media Avenir Verksted bladet Vision NTNU UiO Department of Department

1.67k views • 42 slides
Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on

Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on

Uniform Interpolation and Proof Systems Rosalie Iemhoff Utrecht University Workshop on Admissible Rules and Unification II Les Diablerets, February 2, 2015 1 / 12 Proof systems An old question: When does a logic have a decent proof system? 2

624 views • 50 slides
A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of

A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of

A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms. 3. Each statement is derived via the derivation rules. Zero Knowledge Protocols 4. The proof is fixed, i.e, in any time,

642 views • 14 slides
Encryption Scheme And Thoughts on Bootstrapping The FHE scheme is joint work with Amit Sahai

Encryption Scheme And Thoughts on Bootstrapping The FHE scheme is joint work with Amit Sahai

A Simple (Leveled) Fully Homomorphic Encryption Scheme And Thoughts on Bootstrapping The FHE scheme is joint work with Amit Sahai (UCLA) and Brent Waters (UT Austin) Supported by IARPA contract number D11PC20202 August 15, 2013 Workshop on

719 views • 32 slides
Recovery Credit System : Proof of Concept for GCWA Brian

Recovery Credit System : Proof of Concept for GCWA Brian

Recovery Credit System : Proof of Concept for GCWA Brian Hays, Associate Director Ins8tute of Renewable Natural Resources Texas A&M AgriLife Extension

506 views • 21 slides
Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan

Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan

Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU Miyako Ohkubo, NICT Mathematical structures in cryptography Cyclic prime order group G

622 views • 19 slides
Climate Simulation and Modelling at Ministry of Earth Sciences A.K.Sahai Indian Institute of

Climate Simulation and Modelling at Ministry of Earth Sciences A.K.Sahai Indian Institute of

Climate Simulation and Modelling at Ministry of Earth Sciences A.K.Sahai Indian Institute of Tropical Meteorology (IITM) First annual NKN workshop, IIT-B, 31 Oct. -2 Nov., 2012 Major Objectives of MoES To provide the country best possible

673 views • 48 slides
Multiple Sewershed Package 8 - CIPP Carmen C. Groth, P .E., PMP , MBA Project Engineer M.

Multiple Sewershed Package 8 - CIPP Carmen C. Groth, P .E., PMP , MBA Project Engineer M.

Multiple Sewershed Package 8 - CIPP Carmen C. Groth, P .E., PMP , MBA Project Engineer M. Antonio Leyva, P .E. Manager Engineering Fred Flores Contract Administrator Diana Woltersdorf Manager Contract Administration Marisol V.

543 views • 30 slides
The he Essity Essity Gr Group oup Ma Magnus gnus Gr Groth, Pr oth, Presiden esident an t

The he Essity Essity Gr Group oup Ma Magnus gnus Gr Groth, Pr oth, Presiden esident an t

The he Essity Essity Gr Group oup Ma Magnus gnus Gr Groth, Pr oth, Presiden esident an t and CEO d CEO This presentation may contain forward-looking statements. Such statements are based on our current expectations and are subject to

394 views • 13 slides
PROV-AQ: Provenance Access and Query Editors: Authors: Graham Klyne Luc Moreau Paul Groth

PROV-AQ: Provenance Access and Query Editors: Authors: Graham Klyne Luc Moreau Paul Groth

An Overview on PROV-AQ: Provenance Access and Query Editors: Authors: Graham Klyne Luc Moreau Paul Groth Olaf Hartig Yogesh Simmhan James Myers Timothy Lebo Khalid Belhajjame Simon Miles Presentation at the Dagstuhl Seminar on

706 views • 34 slides
PROV-AQ: Provenance Access and Query Editors: Authors: Graham Klyne Luc Moreau Paul Groth

PROV-AQ: Provenance Access and Query Editors: Authors: Graham Klyne Luc Moreau Paul Groth

An Overview on PROV-AQ: Provenance Access and Query Editors: Authors: Graham Klyne Luc Moreau Paul Groth Olaf Hartig Yogesh Simmhan James Myers Timothy Lebo Khalid Belhajjame Simon Miles Stian Soiland-Reyes Purpose Describes how to

394 views • 24 slides

More recommend