New Constructions of Statistical NIZKs: Dual-Mode DV-NIZKs and More Benoît Libert, Alain Passelègue, Hoeteck Wee, and David J. Wu May 2020
Non-Interactive Zero-Knowledge (NIZK) [BFM88] accept if NP language ℒ ⊆ 0,1 ∗ 𝑦 ∈ 0,1 ∗ 𝑦 ∈ ℒ 𝜌 prover verifier ∀𝑦 ∈ ℒ ∶ Pr 𝑄, 𝑊 (𝑦) = accept = 1 Completeness: “Honest prover convinces honest verifier of true statements” ∀𝑦 ∉ ℒ, ∀𝑄 ∗ ∶ Pr 𝑄 ∗ , 𝑊 Soundness: 𝑦 = accept ≤ 𝜁 “No prover can convince honest verifier of false statement” can consider both computational and statistical variants
Non-Interactive Zero-Knowledge (NIZK) [BFM88] NP language ℒ 𝒯 (𝑦) ≈ 𝑑 𝜌 real distribution ideal distribution Zero-Knowledge: for all efficient verifiers 𝑊 ∗ , there exists an efficient simulator 𝒯 where ∀𝑦 ∈ ℒ ∶ 𝑄, 𝑊 ∗ 𝑦 ≈ 𝒯 (𝑦) can consider both computational and statistical variants
Designated-Verifier NIZKs This work: focus primarily on the designated-verifier model public CRS secret verification key 𝜏 𝑙 𝑊 trusted setup prover verifier
Designated-Verifier NIZKs This work: focus primarily on the designated-verifier model Requirement: soundness should 𝜏 𝑙 𝑊 hold even if the prover has access to the verification oracle 𝜌 = Prove(𝜏, 𝑦, 𝑥) prover verifier
The Landscape of (DV)-NIZKs Construction Soundness Zero-Knowledge Assumption [FLS90] statistical computational factoring [CHK03] statistical computational CDH (pairing group) 𝑙 -Lin (pairing group) [GOS06] stat. comp. comp. stat. [PS19] stat. comp. comp. stat. LWE [SW14] computational statistical iO + OWFs publicly-verifiable statistical computational CDH [QRW19, CH19, KNYY19] [LQRWW19] computational computational CDH/LWE/LPN [CDIKLOV19] stat. comp. comp. stat. DCR malicious designated-verifier
The Landscape of (DV)-NIZKs Construction Soundness Zero-Knowledge Assumption Statistical zero-knowledge seems more difficult to achieve 𝑙 -Lin (pairing group) [GOS06] stat. comp. comp. stat. [PS19] stat. comp. comp. stat. LWE [SW14] computational statistical iO + OWFs publicly-verifiable [CDIKLOV19] stat. comp. comp. stat. DCR malicious designated-verifier
This Work: Statistical NIZKs 𝒯 (𝑦) ≈ 𝑡 𝜌 Statistical ZK provides everlasting privacy This work: Compiling NIZKs in the hidden-bits model to statistical (DV)-NIZKs • Statistical DV-NIZKs from DDH in pairing-free groups / QR / DCR
This Work: Statistical NIZKs 𝒯 (𝑦) ≈ 𝑡 𝜌 Statistical ZK provides everlasting privacy More precisely: DV-NIZKs are “dual - mode” and maliciously secure This work: Compiling NIZKs in the hidden-bits model to statistical (DV)-NIZKs • Statistical DV-NIZKs from DDH in pairing-free groups / QR / DCR
This Work: Statistical NIZKs 𝒯 (𝑦) ≈ 𝑡 𝜌 Statistical ZK provides everlasting privacy Weaker assumption compared to [GOS06] which required 𝑙 -Lin in both groups ( 𝑙 -KerLin is a search assumption implied by 𝑙 -Lin) This work: Compiling NIZKs in the hidden-bits model to statistical (DV)-NIZKs • Statistical DV-NIZKs from DDH in pairing-free groups / QR / DCR • Statistical NIZKs from 𝑙 -Lin ( 1 ) + 𝑙 -KerLin ( 2 ) in a pairing group
The Landscape of (DV)-NIZKs Construction Soundness Zero-Knowledge Assumption [FLS90] statistical computational factoring [CHK03] statistical computational CDH (pairing group) 𝑙 -Lin ( 1 , 2 ) [GOS06] stat. comp. comp. stat. 𝒍 -Lin ( 𝟐 ), 𝒍 -KerLin ( 𝟑 ) This work computational statistical [PS19] stat. comp. comp. stat. LWE [SW14] computational statistical iO + OWFs publicly-verifiable statistical computational CDH [QRW19, CH19, KNYY19] [LQRWW19] computational computational CDH/LWE/LPN [CDIKLOV19] stat. comp. comp. stat. DCR This work stat. comp. comp. stat. DDH/QR/DCR malicious designated-verifier
NIZKs in the Hidden Bits Model [FLS90] 𝑜 bits long 0 1 1 1 0 0 1 0 1 1 prover has access to uniformly random bit string of length 𝑜 prover
NIZKs in the Hidden Bits Model [FLS90] 𝑜 bits long 0 1 1 1 0 0 1 0 1 1 prover has access to uniformly random bit string of length 𝑜 𝐽 ⊆ [𝑜], 𝜌 prover prover outputs a subset 𝐽 ⊆ [𝑜] and a proof 𝜌
NIZKs in the Hidden Bits Model [FLS90] 𝑜 bits long 1 0 0 0 verifier only sees the subset of the bits in 𝐽 and proof 𝜌 𝐽 ⊆ [𝑜], 𝜌 verifier prover prover outputs a subset 𝐽 ⊆ [𝑜] and a proof 𝜌
NIZKs in the Hidden Bits Model [FLS90] 𝑜 bits long 1 0 0 0 verifier only sees the subset of the bits in 𝐽 and proof 𝜌 [FLS90]: There exists a perfect NIZK proof for 𝐽 ⊆ [𝑜], 𝜌 any NP language in the hidden-bits model verifier prover prover outputs a subset 𝐽 ⊆ [𝑜] and a proof 𝜌
The FLS Compiler [FLS90] NIZKs in the hidden-bits model CRS “commitment” 𝜏 cryptographic compiler 𝑐 1 𝑐 2 ⋯ 𝑐 𝑜 hidden-bits string Prover can selectively open 𝜏 to 𝑗, 𝑐 𝑗 for indices 𝑗 of its choosing NIZKs in the CRS model
The FLS Compiler [FLS90] Main properties: CRS • Binding: Can only open 𝜏 to a single bit for each position “commitment” 𝜏 • Hiding: Unopened bits should be hidden • Succinctness: 𝜏 ≪ 𝑜 𝑐 1 𝑐 2 ⋯ 𝑐 𝑜 Soundness: If 𝜏 ≪ 𝑜 and there are not too hidden-bits string many “bad” hidden -bits strings ⇒ prover cannot find a “bad” 𝜏 that fools verifier Prover can selectively open 𝜏 to 𝑗, 𝑐 𝑗 for indices 𝑗 of its choosing Zero-Knowledge: Unopened bits hidden to verifier
The FLS Compiler [FLS90] NIZKs in the hidden-bits model CRS “commitment” 𝜏 cryptographic compiler 𝑐 1 𝑐 2 ⋯ 𝑐 𝑜 hidden-bits string Instantiations: [FLS90]: trapdoor permutations (computational NIZK proofs) [CHK03]:CDH over a pairing group (computational NIZK proofs) [QRW19, CH19, KNYY19]:hidden-bits generators from CDH NIZKs in the CRS model (computational DV-NIZK proofs)
The FLS Compiler [FLS90] NIZKs in the hidden-bits model CRS “commitment” 𝜏 cryptographic compiler 𝑐 1 𝑐 2 ⋯ 𝑐 𝑜 Possible to instantiate FLS hidden-bits string to obtain statistical ZK? Instantiations: [FLS90]: trapdoor permutations (computational NIZK proofs) [CHK03]:CDH over a pairing group (computational NIZK proofs) [QRW19, CH19, KNYY19]:hidden-bits generators from CDH NIZKs in the CRS model (computational DV-NIZK proofs)
The FLS Compiler [FLS90] NIZKs in the hidden-bits model NIZKs in the CRS model cryptographic compiler This work: dual-mode hidden bits generator [FLS90]: trapdoor permutations (computational NIZK proofs) • “Binding mode:” computational DV -NIZK proofs [CHK03]: CDH over a pairing group (computational NIZK proofs) • “Hiding mode:” statistical DV -NIZK arguments [QRW19, CH19, KNYY19]: computational hidden-bits generators from CDH (computational DV-NIZK arguments)
Warm-Up: The FLS Compiler from CDH [CHK03, QRW19, CH19, KNYY19] Ingredient: let be a prime-group of order 𝑞 with generator CRS: , ℎ 1 = 𝑥 1 , … , ℎ 𝑜 = 𝑥 𝑜 ∈ 𝑥 1 , … , 𝑥 𝑜 ← ℤ 𝑞 Each exponent 𝑧 ∈ ℤ 𝑞 defines a hidden bits string hard-core bit 𝑧 𝑐 1 𝑐 2 ⋯ 𝑐 𝑜 𝑐 𝑗 ≔ hc ℎ 𝑗 Committing to a hidden-bits string: Prover samples 𝑧 ← ℤ 𝑞 and commits to hidden bits string with 𝜏 = 𝑧 ∈ 𝑧 and prove that , 𝑧 , ℎ 𝑗 , ℎ 𝑗 𝑧 is a DDH tuple Opening 𝝉 to a bit 𝒄 𝒋 : reveal ℎ 𝑗 𝑧 [CHK03]: Use a pairing: 𝑓 𝑧 , ℎ 𝑗 = 𝑓 , ℎ 𝑗 publicly-verifiable [QRW19, CH19, KNYY19]: Use Cramer-Shoup hash-proof system [CS98, CS02, CKS08] designated-verifier
Warm-Up: The FLS Compiler from CDH [CHK03, QRW19, CH19, KNYY19] Ingredient: let be a prime-group of order 𝑞 with generator CRS: , ℎ 1 = 𝑥 1 , … , ℎ 𝑜 = 𝑥 𝑜 ∈ 𝑥 1 , … , 𝑥 𝑜 ← ℤ 𝑞 Each exponent 𝑧 ∈ ℤ 𝑞 defines a hidden bits string hard-core bit 𝑧 𝑐 1 𝑐 2 ⋯ 𝑐 𝑜 𝑐 𝑗 ≔ hc ℎ 𝑗 Committing to a hidden-bits string: Prover samples 𝑧 ← ℤ 𝑞 and commits to hidden bits string with 𝜏 = 𝑧 ∈ Statistical binding: choice of 𝜏 (with ℎ 1 , … , ℎ 𝑜 ) completely defines 𝑐 1 , … , 𝑐 𝑜 Resulting NIZK satisfies statistical soundness
Warm-Up: The FLS Compiler from CDH [CHK03, QRW19, CH19, KNYY19] Ingredient: let be a prime-group of order 𝑞 with generator CRS: , ℎ 1 = 𝑥 1 , … , ℎ 𝑜 = 𝑥 𝑜 ∈ 𝑥 1 , … , 𝑥 𝑜 ← ℤ 𝑞 Each exponent 𝑧 ∈ ℤ 𝑞 defines a hidden bits string hard-core bit 𝑧 𝑐 1 𝑐 2 ⋯ 𝑐 𝑜 𝑐 𝑗 ≔ hc ℎ 𝑗 Need to compute 𝑥 𝑗 𝑧 from 𝑥 𝑗 Committing to a hidden-bits string: and 𝑧 which is precisely CDH Prover samples 𝑧 ← ℤ 𝑞 and commits to hidden bits string with 𝜏 = 𝑧 ∈ Computational hiding: unopened bits computationally hidden since hc is hard-core Resulting NIZK satisfies computational zero-knowledge
Recommend
More recommend
