noninteractive zero knowledge for np from learning with
play

Noninteractive Zero Knowledge for NP from Learning With Errors - PowerPoint PPT Presentation

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of Michigan (Based on work with Sina Shiehian) 2nd Crypto Innovation School Shanghai, China 15 December 2019 1 / 16 Zero Knowledge


  1. Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of Michigan (Based on work with Sina Shiehian) 2nd Crypto Innovation School Shanghai, China 15 December 2019 1 / 16

  2. Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. 2 / 16

  3. Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] 2 / 16

  4. Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) 2 / 16

  5. Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) b ← { 0 , 1 } (“Prove H ≡ G b ”) 2 / 16

  6. Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) b ← { 0 , 1 } (“Prove H ≡ G b ”) σ = ρ ◦ π b check H ? = σ ( G b ) 2 / 16

  7. Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) b ← { 0 , 1 } (“Prove H ≡ G b ”) σ = ρ ◦ π b check H ? = σ ( G b ) 1 Complete: if G 0 ≡ G 1 , then P convinces V . 2 / 16

  8. Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) b ← { 0 , 1 } (“Prove H ≡ G b ”) σ = ρ ◦ π b check H ? = σ ( G b ) 1 Complete: if G 0 ≡ G 1 , then P convinces V . 2 Sound: if G 0 �≡ G 1 , cheating P ∗ convinces V with prob ≤ 1 / 2 . 2 / 16

  9. Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) b ← { 0 , 1 } (“Prove H ≡ G b ”) σ = ρ ◦ π b check H ? = σ ( G b ) 1 Complete: if G 0 ≡ G 1 , then P convinces V . 2 Sound: if G 0 �≡ G 1 , cheating P ∗ convinces V with prob ≤ 1 / 2 . Soundness error can be reduced exponentially by (parallel) repetition. 2 / 16

  10. Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) b ← { 0 , 1 } (“Prove H ≡ G b ”) σ = ρ ◦ π b check H ? = σ ( G b ) 1 Complete: if G 0 ≡ G 1 , then P convinces V . 2 Sound: if G 0 �≡ G 1 , cheating P ∗ convinces V with prob ≤ 1 / 2 . Soundness error can be reduced exponentially by (parallel) repetition. 3 Zero Knowledge: can simulate (honest) V ’s view when G 0 ≡ G 1 . 2 / 16

  11. Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. 3 / 16

  12. Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. ◮ Applications: identification, secure multiparty computation, . . . 3 / 16

  13. Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. ◮ Applications: identification, secure multiparty computation, . . . Cut-and-choose protocol for Hamiltonian Cycle [FeigeLapidotShamir’90] : P ( G, cycle C ) V ( G ) 3 / 16

  14. Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. ◮ Applications: identification, secure multiparty computation, . . . Cut-and-choose protocol for Hamiltonian Cycle [FeigeLapidotShamir’90] : P ( G, cycle C ) V ( G ) { c i,j ← Com ( h i,j ) } , Com ( ρ ) H = ρ ( G ) 3 / 16

  15. Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. ◮ Applications: identification, secure multiparty computation, . . . Cut-and-choose protocol for Hamiltonian Cycle [FeigeLapidotShamir’90] : P ( G, cycle C ) V ( G ) { c i,j ← Com ( h i,j ) } , Com ( ρ ) H = ρ ( G ) b ← { 0 , 1 } 3 / 16

  16. Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. ◮ Applications: identification, secure multiparty computation, . . . Cut-and-choose protocol for Hamiltonian Cycle [FeigeLapidotShamir’90] : P ( G, cycle C ) V ( G ) { c i,j ← Com ( h i,j ) } , Com ( ρ ) H = ρ ( G ) b ← { 0 , 1 } b = 0 : open all h i,j , ρ check H = ρ ( G ) 3 / 16

  17. Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. ◮ Applications: identification, secure multiparty computation, . . . Cut-and-choose protocol for Hamiltonian Cycle [FeigeLapidotShamir’90] : P ( G, cycle C ) V ( G ) { c i,j ← Com ( h i,j ) } , Com ( ρ ) H = ρ ( G ) b ← { 0 , 1 } b = 0 : open all h i,j , ρ check H = ρ ( G ) b = 1 : open h i,j check cycle for ( i, j ) ∈ ρ ( C ) 3 / 16

  18. Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) V ( x ) π acc/rej 4 / 16

  19. Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) V ( x ) π acc/rej ◮ In ‘plain’ model, NIZK = BPP (trivial). 4 / 16

  20. Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) crs V ( x ) π acc/rej ◮ With common random/reference string, NP ⊆ NIZK assuming: 4 / 16

  21. Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) crs V ( x ) π acc/rej ◮ With common random/reference string, NP ⊆ NIZK assuming: ⋆ quadratic residuosity/trapdoor permutations [BDMP’88,FLS’90] ⋆ hard pairing-friendly groups [GrothOstrovskySahai’06] ⋆ indistinguishability obfuscation [SahaiWaters’14] 4 / 16

  22. Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) crs V ( x ) π acc/rej ◮ With common random/reference string, NP ⊆ NIZK assuming: ⋆ quadratic residuosity/trapdoor permutations [BDMP’88,FLS’90] ⋆ hard pairing-friendly groups [GrothOstrovskySahai’06] ⋆ indistinguishability obfuscation [SahaiWaters’14] Apps: signatures, CCA-secure encryption, cryptocurrencies, . . . 4 / 16

  23. Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) crs V ( x ) π acc/rej ◮ With common random/reference string, NP ⊆ NIZK assuming: ⋆ quadratic residuosity/trapdoor permutations [BDMP’88,FLS’90] ⋆ hard pairing-friendly groups [GrothOstrovskySahai’06] ⋆ indistinguishability obfuscation [SahaiWaters’14] Apps: signatures, CCA-secure encryption, cryptocurrencies, . . . ◮ Open [PW’08,PV’08] : ‘post-quantum’ foundation like lattices/LWE 4 / 16

  24. Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) crs V ( x ) π acc/rej ◮ With common random/reference string, NP ⊆ NIZK assuming: ⋆ quadratic residuosity/trapdoor permutations [BDMP’88,FLS’90] ⋆ hard pairing-friendly groups [GrothOstrovskySahai’06] ⋆ indistinguishability obfuscation [SahaiWaters’14] Apps: signatures, CCA-secure encryption, cryptocurrencies, . . . ◮ Open [PW’08,PV’08] : ‘post-quantum’ foundation like lattices/LWE Our Main Theorem ◮ NP ⊆ NIZK assuming LWE/worst-case lattice problems are hard. 4 / 16

  25. Fiat-Shamir Heuristic [FiatShamir’86] ◮ A way to remove interaction from a public-coin protocol, via hashing: 5 / 16

  26. Fiat-Shamir Heuristic [FiatShamir’86] ◮ A way to remove interaction from a public-coin protocol, via hashing: P V α β ← { 0 , 1 } m γ 5 / 16

Recommend


More recommend