signatures of knowledge for boolean circuits under
play

Signatures of Knowledge for Boolean Circuits under Standard - PowerPoint PPT Presentation

Feb 25, 2023 •241 likes •702 views

Signatures of Knowledge for Boolean Circuits under Standard Assumptions Zaira Pindado Africacrypt, July 2020 Joint work with Karim Baghery, Alonso Gonz alez and Carla R` afols 1/37 Motivation Previous work Main construction Applications

  1. Signatures of Knowledge for Boolean Circuits under Standard Assumptions Zaira Pindado Africacrypt, July 2020 Joint work with Karim Baghery, Alonso Gonz´ alez and Carla R` afols 1/37

  2. Motivation Previous work Main construction Applications and Follow-ups NIZK proof systems Non-interactive Zero-Knowledge proof systems allow a party P to prove the verifier V that for a public statement � x , she knows a witness � w such that ( � w ) ∈ R for some relation R . x, � The proof π consists in just one message. Both parties share the same common reference string (CRS) as public paramters. P V π CRS, x , w CRS, x − − − − − − − − − − − → 2/37 2 / 37

  3. Motivation Previous work Main construction Applications and Follow-ups NIZK proof systems The basic requirements for the security of these proofs are: Completeness if P actually knows the witness, V should accept, Soundness if P does not know a valid witness it cannot convince V , Zero-Knowledge nothing about the witness is leaked from the proof π . 3/37 3 / 37

  4. Motivation Previous work Main construction Applications and Follow-ups Stronger notions of Soundness Knowledge Soundness     (Extraction of the witness)  Simulation Extractability  (Knowledge and Simulation) (Unbounded) Simulation Soundness      (Adversary cannot cheat even if it has seen simulated proofs) Extraction is formalized by an extractor of the witness that can be either Blackbox (BB) or non-Black Box (nBB), without (resp. with) access to the code of the adversary. In practice we cannot have access to the adversary code, so we want Simulation BB extractability (UC-security). 4/37 4 / 37

  5. Motivation Previous work Main construction Applications and Follow-ups NIZK proof systems Among the many constructions of NIZK proofs there is a trade-off between efficiency, generality and strength of the assumptions used for the security of the proof. +efficient -efficient +strong Succinct Linear zk-SNARKs , [ 3 ] Non-falsifiable general language QA-NIZK , [ 6 ] GS proofs , [ 5 ] Falsifiable specific language general language -strong 5/37 5 / 37

  6. Motivation Previous work Main construction Applications and Follow-ups NIZK proof systems Among the many constructions of NIZK proofs there is a trade-off between efficiency, generality and strength of the assumptions used for the security of the proof. +efficient -efficient +strong Succinct Linear zk-SNARKs , [ 3 ] Non-falsifiable general language QA-NIZK , [ 6 ] GS proofs , [ 5 ] Falsifiable specific language general language -strong 5/37 5 / 37

  7. Motivation Previous work Main construction Applications and Follow-ups Two recent NIZK proofs for Boolean CircuitSat in between: Daza et al.[1]: as a commit-and-prove argument is linear in the number of wires for the commitment and succinct in the proof. Gonz´ alezR` afols[2]: for CircuitSat, weaker assumptions, linear in the depth of the circuit for both commitment and proof. +efficient -efficient +strong Succinct Linear zk-SNARKs , [ 3 ] Non-falsifiable general language Daza19 [ 1 ] GonRaf19 [ 2 ] general language general language QA-NIZK , [ 6 ] GS proofs , [ 5 ] Falsifiable specific language general language -strong 6/37 6 / 37

  8. Motivation Previous work Main construction Applications and Follow-ups Our contribution Main construction: a framework of SE-NIZK arguments with BB extraction for Boolean CircuitSat under falsifiable assumptions. Concrete instantiation of a SE-NIZK. Small overhead respect to previous construction with bare soundness [2] ( 3 group elements).  GrothMaller[4] framework  � The first Signature of Knowledge that is UC-secure with same size of the SE-NIZK under falsifiable assumptions. 7/37 7 / 37

  9. Motivation Previous work Main construction Applications and Follow-ups Outline 1 Previous work 2 Main construction 3 Applications and Follow-ups 8/37 8 / 37

  10. Motivation Previous work Main construction Applications and Follow-ups Outline 1 Previous work 2 Main construction 3 Applications and Follow-ups 9/37 9 / 37

  11. Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Notation output x x x Let φ be a boolean circuit x x x input where x expresses any binary operation and a i , b i , c i left, right and output wires of gate i c i x a i b i 10 / 37 10/37

  12. Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Trivial approach An argument of knowledge for satisfiability of φ can be divided into three sub-arguments: 1) an argument of knowledge of a boolean input c 0 x x x x x x c 0 = ( a 1 , b 1 , a 2 , b 2 , a 3 , b 3 ) 11 / 37 11/37

  13. Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Trivial approach An argument of knowledge for satisfiability of φ can be divided into three sub-arguments: 1) an argument of knowledge of some boolean input 2) an argument that proves the “correct wiring” of the circuit, i.e. a i , b i consistent with c c 6 x b 6 =c 5 a 6 = c 4 x x b 5 =c 3 a 4 b 4 = = =a 4 c 1 c 2 x x x a 1 a 2 a 3 b 1 b 2 b 3 12/37 12 / 37

  14. Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Trivial approach An argument of knowledge for satisfiability of φ can be divided into three sub-arguments: 1) an argument of knowledge of some boolean input 2) an argument that proves the “correct wiring” of the circuit, i.e. all a i , b i consistent with c 3) an argument that proves quadratic constraints, i.e. the correct evaluation of all gates i NAND XOR NAND OR AND OR 13/37 13 / 37

  15. Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Trivial approach 2) “correct wiring” of the circuit ⇔ linear constraints 3) evaluation of gates ⇔ quadratic constraints GonRaf19 [2] prove 2) and 3) succinctly for each level of the circuit by slicing it into levels. GonRaf19 is the most efficient NIZK proof for CircuitSat under standard assumptions: proof size O ( n 0 + d ) , where d is the depth of the circuit, n 0 the length of the input. 14/37 14 / 37

  16. Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Trivial approach 2) “correct wiring” of the circuit ⇔ linear constraints 3) evaluation of gates ⇔ quadratic constraints GonRaf19 [2] prove 2) and 3) succinctly for each level of the circuit by slicing it into levels. GonRaf19 is the most efficient NIZK proof for CircuitSat under standard assumptions: proof size O ( n 0 + d ) , where d is the depth of the circuit, n 0 the length of the input. 14/37 14 / 37

  17. Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Techniques from GonRaf19[2] The authors slice the circuit into levels x x x x x x and use shrinking commitments (no-hiding and deterministic) L j to all left wires at level j , and respectively R j , O j to all right, output wires at level j . L 1 , R 1 , O 1 , L 2 , R 2 , O 2 , L 3 , R 3 , O 3 15/37 15 / 37

  18. Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Techniques from GonRaf19[2] Shrinking commitments with key Λ : L 1 = Λ 1 a 1 + Λ 2 a 2 + Λ 3 a 3 , R 1 = Λ 1 b 1 + Λ 2 b 2 + Λ 3 b 3 O 1 = Λ 1 c 1 + Λ 2 c 2 + Λ 3 c 3 L 2 = Λ 1 a 4 + Λ 2 a 5 , R 2 = Λ 1 b 4 + Λ 2 b 5 , . . . There are many possible openings for these commitments at level j . How do we understand soundness in that context? 16/37 16 / 37

  19. Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Techniques from GonRaf19[2] Example: L 2 = Λ 1 a 4 + Λ 2 a 5 many possible openings ( ˆ a 4 , ˆ a 5 ) , but just one fits well with the previous level wires. x x x a 4 a 5 x x x The input fixes the correct output of 1st level gates, ( c 1 , c 2 ) , then just one for possible opening input ( a 4 , a 5 ) = ( c 1 , c 2 ) . Even there are many possible openings for the shrinking commitments at each level j , they should be consistent with the previous layers. 17 / 37 17/37

  20. Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Techniques from GonRaf19[2] x x x x x x x x x → input x x x x x x → input x x x input Once the input is fixed, the knowledge of the input is “transferred” to next levels, level by level, and then all the wires are determined. Linear and quadratic constraints at some level j are proven assuming previous layers were already proven (“the promise”). Soundness is proven under this “promise”. 18 / 37 18/37

  21. Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Techniques from GonRaf19[2] x x x x x x x x x → input x x x x x x → input x x x input Once the input is fixed, the knowledge of the input is “transferred” to next levels, level by level, and then all the wires are determined. Linear and quadratic constraints at some level j are proven assuming previous layers were already proven (“the promise”). Soundness is proven under this “promise”. 18 / 37 18/37

Recommend

Lecture 14: Boolean Circuits I Arijit Bishnu 17.04.2010 Introduction Boolean Circuits and P

Lecture 14: Boolean Circuits I Arijit Bishnu 17.04.2010 Introduction Boolean Circuits and P

Introduction Boolean Circuits and P Uniformly Generated Circuits Turing Machines that take Advice / poly Lecture 14: Boolean Circuits I Arijit Bishnu 17.04.2010 Introduction Boolean Circuits and P Uniformly Generated Circuits Turing Machines

1.08k views • 71 slides
Chapter 3 Understand how digital circuits work together to Boolean Algebra and form complex

Chapter 3 Understand how digital circuits work together to Boolean Algebra and form complex

Chapter 3 Objectives Understand the relationship between Boolean logic and digital computer circuits. Learn how to design simple logic circuits. Chapter 3 Understand how digital circuits work together to Boolean Algebra and form

403 views • 19 slides
Lecture 2 Boolean Algebra and Circuits CS 230 - Spring 2020 1-1 Boolean Algebra Algebra

Lecture 2 Boolean Algebra and Circuits CS 230 - Spring 2020 1-1 Boolean Algebra Algebra

CS 230 Introduction to Computers and Computer Systems Lecture 2 Boolean Algebra and Circuits CS 230 - Spring 2020 1-1 Boolean Algebra Algebra to express binary logic Basic operators: OR, AND, NOT More advanced operators later

1.18k views • 100 slides
Knowledge Compilation Guy Van den Broeck and Adnan Darwiche Jan 28, 2015, AAAI Knowledge

Knowledge Compilation Guy Van den Broeck and Adnan Darwiche Jan 28, 2015, AAAI Knowledge

On the Role of Canonicity in Knowledge Compilation Guy Van den Broeck and Adnan Darwiche Jan 28, 2015, AAAI Knowledge Compilation Reasoning with logical knowledge bases A Tractable languages and compilers B Boolean circuits: C

624 views • 30 slides
Polynomial threshold functions and Boolean threshold circuits Kristoffer Arnsfelt Hansen 1

Polynomial threshold functions and Boolean threshold circuits Kristoffer Arnsfelt Hansen 1

Polynomial threshold functions and Boolean threshold circuits Kristoffer Arnsfelt Hansen 1 Vladimir V. Podolskii 2 1 Aarhus University 2 Steklov Mathematical Institute MFCS 2013 1 / 27 Boolean Threshold Functions Boolean function f : { a , b } n

927 views • 44 slides
Circuits and Gates 15-110 Wednesday 09/16 Learning Goals Translate Boolean expressions to

Circuits and Gates 15-110 Wednesday 09/16 Learning Goals Translate Boolean expressions to

Circuits and Gates 15-110 Wednesday 09/16 Learning Goals Translate Boolean expressions to truth tables and circuits Translate circuits to truth tables and Boolean expressions Recognize how addition is done at the circuit level

441 views • 33 slides
Modelling of the Digital Systems What are the digital systems (circuits)? Digital systems

Modelling of the Digital Systems What are the digital systems (circuits)? Digital systems

Modelling of the Digital Systems What are the digital systems (circuits)? Digital systems are based on binary representation 0 or 1 Performing function of the Boolean logic Required circuits Boolean operators (inv, nand, nor, or, and)

535 views • 40 slides
Chapter 3 Learn how to design simple logic circuits. Understand how digital circuits work

Chapter 3 Learn how to design simple logic circuits. Understand how digital circuits work

Chapter 3 Objectives Understand the relationship between Boolean logic and digital computer circuits. Chapter 3 Learn how to design simple logic circuits. Understand how digital circuits work together to Boolean Algebra and form

448 views • 19 slides
Knowledge Compilation for Boolean Functional Synthesis S. Akshay, Jatin Arora, Supratik

Knowledge Compilation for Boolean Functional Synthesis S. Akshay, Jatin Arora, Supratik

Knowledge Compilation for Boolean Functional Synthesis S. Akshay, Jatin Arora, Supratik Chakraborty, S. Krishna, Divya Raghunathan, Shetal Shah Indian Institute of Technology Bombay 1 Boolean Functional Synthesis Boolean functions:

1.09k views • 86 slides
Chapter 3 Boolean Algebra and Digital Logic Chapter 3 Objectives Understand the relationship

Chapter 3 Boolean Algebra and Digital Logic Chapter 3 Objectives Understand the relationship

Chapter 3 Boolean Algebra and Digital Logic Chapter 3 Objectives Understand the relationship between Boolean logic and digital computer circuits. Learn how to design simple logic circuits. Understand how digital circuits work

898 views • 73 slides
Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler , Sebastian Ramacher , Daniel Slamanig PQC rypto 18, April 9, 2018 1 Ring Signatures P

612 views • 27 slides
Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 Ecole Normale Sup erieure de Lyon (France) 2

681 views • 33 slides
Key-policy Attribute-based Encryption for General Boolean Circuits from Secret Sharing and

Key-policy Attribute-based Encryption for General Boolean Circuits from Secret Sharing and

Key-policy Attribute-based Encryption for General Boolean Circuits from Secret Sharing and Multi-linear Maps agan 1 and Ferucio Laurent iplea 2 Constantin C at alin Dr iu T 1 CNRS, LORIA, 54506 Vandoeuvre-l` es-Nancy Cedex France

623 views • 18 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Propositional Fragments for Knowledge Compilation and Quantified Boolean Formulae Sylvie

Propositional Fragments for Knowledge Compilation and Quantified Boolean Formulae Sylvie

Propositional Fragments for Knowledge Compilation and Quantified Boolean Formulae Propositional Fragments for Knowledge Compilation and Quantified Boolean Formulae Sylvie Coste-Marquis Daniel Le Berre Florian Letombe Pierre Marquis CRIL, CNRS

563 views • 32 slides
Functional lower bounds for arithmetic circuits and connections to boolean circuit complexity

Functional lower bounds for arithmetic circuits and connections to boolean circuit complexity

Functional lower bounds for arithmetic circuits and connections to boolean circuit complexity Michael Forbes Mrinal Kumar Ramprasad Saptharishi Princeton University Rutgers University T el Aviv University Computational Complexity

1.35k views • 107 slides
Models of Computation Boolean logic Logic circuits January 08, 2020 Patrice Belleville /

Models of Computation Boolean logic Logic circuits January 08, 2020 Patrice Belleville /

CPSC 121 Models of Computation Boolean logic Logic circuits January 08, 2020 Patrice Belleville / Geoffrey Tien 1 Announcements Pre-lecture quiz #2 due Tuesday Jan.14, 19:00 Read Epp 4e/5e: Chapter 2.2 HW1 out soon, due Tuesday,

309 views • 20 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Small Normalized Boolean Circuits for Semi-disjoint Bilinear Forms Require Logarithmic

Small Normalized Boolean Circuits for Semi-disjoint Bilinear Forms Require Logarithmic

Small Normalized Boolean Circuits for Semi-disjoint Bilinear Forms Require Logarithmic Conjunction-depth Andrzej Lingas, Lund university CCC 2018 0-0 Semi-disjoint Bilinear Form A set F of quadratic polynomials over a semi-ring,

349 views • 22 slides
Logic for Computer Science 04 Boolean algebra Wouter Swierstra University of Utrecht 1

Logic for Computer Science 04 Boolean algebra Wouter Swierstra University of Utrecht 1

Logic for Computer Science 04 Boolean algebra Wouter Swierstra University of Utrecht 1 Last time Naive set theory 2 This lecture Boolean algebra Computer circuits Binary arithmetic 3 Boolean algebra 4 Similarities We have seen the

993 views • 70 slides
Definitions Boolean set: B 0 , 1 Boolean constants: 0, 1 Boolean variable: x 0

Definitions Boolean set: B 0 , 1 Boolean constants: 0, 1 Boolean variable: x 0

Computer Architecture applied computer science 03.01 Boolean algebra urbino worldwide campus 03 Logic networks 03.01 Boolean algebra Definitions Boolean

489 views • 6 slides
Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli,

Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli,

Sub-Linear Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli, Rafael del Pino, Jens Groth and Vadim Lyubashevsky Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits 2

712 views • 33 slides
Boolean Functions Boolean Expressions Let B = { 0 , 1 } . 1 ... true, 0 ... false Let x 1 , x 2 ,

Boolean Functions Boolean Expressions Let B = { 0 , 1 } . 1 ... true, 0 ... false Let x 1 , x 2 ,

Boolean Functions Boolean Expressions Let B = { 0 , 1 } . 1 ... true, 0 ... false Let x 1 , x 2 , . . . , x n be boolean variables. Boolean Function of Arity n Semantics and Verification 2005 Abstract Syntax for Boolean Expressions ( x ranges

382 views • 4 slides
Pseudo-Boolean Constraints from a Knowledge Representation Perspective Daniel Le Berre 1 , 2

Pseudo-Boolean Constraints from a Knowledge Representation Perspective Daniel Le Berre 1 , 2

Pseudo-Boolean Constraints from a Knowledge Representation Perspective Daniel Le Berre 1 , 2 Pierre Marquis 1 , 2 , 3 Stefan Mengel 1 Romain Wallon 1 , 2 July 18, 2018 1 CRIL-CNRS UMR 8188, Lens, France 2 Universit e dArtois 3 Institut

588 views • 16 slides

More recommend