Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert University of Michigan (Based on work with Sina Shiehian) 2nd Crypto Innovation School Shanghai, China 15 December 2019 1 / 16
Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. 2 / 16
Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] 2 / 16
Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) 2 / 16
Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) b ← { 0 , 1 } (“Prove H ≡ G b ”) 2 / 16
Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) b ← { 0 , 1 } (“Prove H ≡ G b ”) σ = ρ ◦ π b check H ? = σ ( G b ) 2 / 16
Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) b ← { 0 , 1 } (“Prove H ≡ G b ”) σ = ρ ◦ π b check H ? = σ ( G b ) 1 Complete: if G 0 ≡ G 1 , then P convinces V . 2 / 16
Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) b ← { 0 , 1 } (“Prove H ≡ G b ”) σ = ρ ◦ π b check H ? = σ ( G b ) 1 Complete: if G 0 ≡ G 1 , then P convinces V . 2 Sound: if G 0 �≡ G 1 , cheating P ∗ convinces V with prob ≤ 1 / 2 . 2 / 16
Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) b ← { 0 , 1 } (“Prove H ≡ G b ”) σ = ρ ◦ π b check H ? = σ ( G b ) 1 Complete: if G 0 ≡ G 1 , then P convinces V . 2 Sound: if G 0 �≡ G 1 , cheating P ∗ convinces V with prob ≤ 1 / 2 . Soundness error can be reduced exponentially by (parallel) repetition. 2 / 16
Zero Knowledge [GoldwasserMicaliRackoff’85] ◮ Zero-knowledge (interactive) proof for language L : allows a prover P to convince a verifier V that some x ∈ L , while revealing nothing else. ◮ Example: ‘cut-and-choose’ protocol for Graph Isomorphism P ( G 0 , G 1 , π ) V ( G 0 , G 1 ) [ G 0 = π ( G 1 )] H H = ρ ( G 0 ) b ← { 0 , 1 } (“Prove H ≡ G b ”) σ = ρ ◦ π b check H ? = σ ( G b ) 1 Complete: if G 0 ≡ G 1 , then P convinces V . 2 Sound: if G 0 �≡ G 1 , cheating P ∗ convinces V with prob ≤ 1 / 2 . Soundness error can be reduced exponentially by (parallel) repetition. 3 Zero Knowledge: can simulate (honest) V ’s view when G 0 ≡ G 1 . 2 / 16
Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. 3 / 16
Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. ◮ Applications: identification, secure multiparty computation, . . . 3 / 16
Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. ◮ Applications: identification, secure multiparty computation, . . . Cut-and-choose protocol for Hamiltonian Cycle [FeigeLapidotShamir’90] : P ( G, cycle C ) V ( G ) 3 / 16
Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. ◮ Applications: identification, secure multiparty computation, . . . Cut-and-choose protocol for Hamiltonian Cycle [FeigeLapidotShamir’90] : P ( G, cycle C ) V ( G ) { c i,j ← Com ( h i,j ) } , Com ( ρ ) H = ρ ( G ) 3 / 16
Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. ◮ Applications: identification, secure multiparty computation, . . . Cut-and-choose protocol for Hamiltonian Cycle [FeigeLapidotShamir’90] : P ( G, cycle C ) V ( G ) { c i,j ← Com ( h i,j ) } , Com ( ρ ) H = ρ ( G ) b ← { 0 , 1 } 3 / 16
Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. ◮ Applications: identification, secure multiparty computation, . . . Cut-and-choose protocol for Hamiltonian Cycle [FeigeLapidotShamir’90] : P ( G, cycle C ) V ( G ) { c i,j ← Com ( h i,j ) } , Com ( ρ ) H = ρ ( G ) b ← { 0 , 1 } b = 0 : open all h i,j , ρ check H = ρ ( G ) 3 / 16
Zero Knowledge for NP Theorem [GoldreichMicaliWigderson’86,NguyenOngVadhan’06] ◮ Assuming OWFs, every NP language has a ZK proof/argument. ◮ Applications: identification, secure multiparty computation, . . . Cut-and-choose protocol for Hamiltonian Cycle [FeigeLapidotShamir’90] : P ( G, cycle C ) V ( G ) { c i,j ← Com ( h i,j ) } , Com ( ρ ) H = ρ ( G ) b ← { 0 , 1 } b = 0 : open all h i,j , ρ check H = ρ ( G ) b = 1 : open h i,j check cycle for ( i, j ) ∈ ρ ( C ) 3 / 16
Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) V ( x ) π acc/rej 4 / 16
Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) V ( x ) π acc/rej ◮ In ‘plain’ model, NIZK = BPP (trivial). 4 / 16
Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) crs V ( x ) π acc/rej ◮ With common random/reference string, NP ⊆ NIZK assuming: 4 / 16
Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) crs V ( x ) π acc/rej ◮ With common random/reference string, NP ⊆ NIZK assuming: ⋆ quadratic residuosity/trapdoor permutations [BDMP’88,FLS’90] ⋆ hard pairing-friendly groups [GrothOstrovskySahai’06] ⋆ indistinguishability obfuscation [SahaiWaters’14] 4 / 16
Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) crs V ( x ) π acc/rej ◮ With common random/reference string, NP ⊆ NIZK assuming: ⋆ quadratic residuosity/trapdoor permutations [BDMP’88,FLS’90] ⋆ hard pairing-friendly groups [GrothOstrovskySahai’06] ⋆ indistinguishability obfuscation [SahaiWaters’14] Apps: signatures, CCA-secure encryption, cryptocurrencies, . . . 4 / 16
Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) crs V ( x ) π acc/rej ◮ With common random/reference string, NP ⊆ NIZK assuming: ⋆ quadratic residuosity/trapdoor permutations [BDMP’88,FLS’90] ⋆ hard pairing-friendly groups [GrothOstrovskySahai’06] ⋆ indistinguishability obfuscation [SahaiWaters’14] Apps: signatures, CCA-secure encryption, cryptocurrencies, . . . ◮ Open [PW’08,PV’08] : ‘post-quantum’ foundation like lattices/LWE 4 / 16
Noninteractive Zero Knowledge [BlumDeSantisMicaliPersiano’88] ◮ Interaction is not always possible. What if. . . ? P ( x, w ) crs V ( x ) π acc/rej ◮ With common random/reference string, NP ⊆ NIZK assuming: ⋆ quadratic residuosity/trapdoor permutations [BDMP’88,FLS’90] ⋆ hard pairing-friendly groups [GrothOstrovskySahai’06] ⋆ indistinguishability obfuscation [SahaiWaters’14] Apps: signatures, CCA-secure encryption, cryptocurrencies, . . . ◮ Open [PW’08,PV’08] : ‘post-quantum’ foundation like lattices/LWE Our Main Theorem ◮ NP ⊆ NIZK assuming LWE/worst-case lattice problems are hard. 4 / 16
Fiat-Shamir Heuristic [FiatShamir’86] ◮ A way to remove interaction from a public-coin protocol, via hashing: 5 / 16
Fiat-Shamir Heuristic [FiatShamir’86] ◮ A way to remove interaction from a public-coin protocol, via hashing: P V α β ← { 0 , 1 } m γ 5 / 16
Recommend
More recommend