Signatures of Knowledge for Boolean Circuits under Standard Assumptions Zaira Pindado Africacrypt, July 2020 Joint work with Karim Baghery, Alonso Gonz´ alez and Carla R` afols 1/37
Motivation Previous work Main construction Applications and Follow-ups NIZK proof systems Non-interactive Zero-Knowledge proof systems allow a party P to prove the verifier V that for a public statement � x , she knows a witness � w such that ( � w ) ∈ R for some relation R . x, � The proof π consists in just one message. Both parties share the same common reference string (CRS) as public paramters. P V π CRS, x , w CRS, x − − − − − − − − − − − → 2/37 2 / 37
Motivation Previous work Main construction Applications and Follow-ups NIZK proof systems The basic requirements for the security of these proofs are: Completeness if P actually knows the witness, V should accept, Soundness if P does not know a valid witness it cannot convince V , Zero-Knowledge nothing about the witness is leaked from the proof π . 3/37 3 / 37
Motivation Previous work Main construction Applications and Follow-ups Stronger notions of Soundness Knowledge Soundness (Extraction of the witness) Simulation Extractability (Knowledge and Simulation) (Unbounded) Simulation Soundness (Adversary cannot cheat even if it has seen simulated proofs) Extraction is formalized by an extractor of the witness that can be either Blackbox (BB) or non-Black Box (nBB), without (resp. with) access to the code of the adversary. In practice we cannot have access to the adversary code, so we want Simulation BB extractability (UC-security). 4/37 4 / 37
Motivation Previous work Main construction Applications and Follow-ups NIZK proof systems Among the many constructions of NIZK proofs there is a trade-off between efficiency, generality and strength of the assumptions used for the security of the proof. +efficient -efficient +strong Succinct Linear zk-SNARKs , [ 3 ] Non-falsifiable general language QA-NIZK , [ 6 ] GS proofs , [ 5 ] Falsifiable specific language general language -strong 5/37 5 / 37
Motivation Previous work Main construction Applications and Follow-ups NIZK proof systems Among the many constructions of NIZK proofs there is a trade-off between efficiency, generality and strength of the assumptions used for the security of the proof. +efficient -efficient +strong Succinct Linear zk-SNARKs , [ 3 ] Non-falsifiable general language QA-NIZK , [ 6 ] GS proofs , [ 5 ] Falsifiable specific language general language -strong 5/37 5 / 37
Motivation Previous work Main construction Applications and Follow-ups Two recent NIZK proofs for Boolean CircuitSat in between: Daza et al.[1]: as a commit-and-prove argument is linear in the number of wires for the commitment and succinct in the proof. Gonz´ alezR` afols[2]: for CircuitSat, weaker assumptions, linear in the depth of the circuit for both commitment and proof. +efficient -efficient +strong Succinct Linear zk-SNARKs , [ 3 ] Non-falsifiable general language Daza19 [ 1 ] GonRaf19 [ 2 ] general language general language QA-NIZK , [ 6 ] GS proofs , [ 5 ] Falsifiable specific language general language -strong 6/37 6 / 37
Motivation Previous work Main construction Applications and Follow-ups Our contribution Main construction: a framework of SE-NIZK arguments with BB extraction for Boolean CircuitSat under falsifiable assumptions. Concrete instantiation of a SE-NIZK. Small overhead respect to previous construction with bare soundness [2] ( 3 group elements). GrothMaller[4] framework � The first Signature of Knowledge that is UC-secure with same size of the SE-NIZK under falsifiable assumptions. 7/37 7 / 37
Motivation Previous work Main construction Applications and Follow-ups Outline 1 Previous work 2 Main construction 3 Applications and Follow-ups 8/37 8 / 37
Motivation Previous work Main construction Applications and Follow-ups Outline 1 Previous work 2 Main construction 3 Applications and Follow-ups 9/37 9 / 37
Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Notation output x x x Let φ be a boolean circuit x x x input where x expresses any binary operation and a i , b i , c i left, right and output wires of gate i c i x a i b i 10 / 37 10/37
Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Trivial approach An argument of knowledge for satisfiability of φ can be divided into three sub-arguments: 1) an argument of knowledge of a boolean input c 0 x x x x x x c 0 = ( a 1 , b 1 , a 2 , b 2 , a 3 , b 3 ) 11 / 37 11/37
Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Trivial approach An argument of knowledge for satisfiability of φ can be divided into three sub-arguments: 1) an argument of knowledge of some boolean input 2) an argument that proves the “correct wiring” of the circuit, i.e. a i , b i consistent with c c 6 x b 6 =c 5 a 6 = c 4 x x b 5 =c 3 a 4 b 4 = = =a 4 c 1 c 2 x x x a 1 a 2 a 3 b 1 b 2 b 3 12/37 12 / 37
Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Trivial approach An argument of knowledge for satisfiability of φ can be divided into three sub-arguments: 1) an argument of knowledge of some boolean input 2) an argument that proves the “correct wiring” of the circuit, i.e. all a i , b i consistent with c 3) an argument that proves quadratic constraints, i.e. the correct evaluation of all gates i NAND XOR NAND OR AND OR 13/37 13 / 37
Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Trivial approach 2) “correct wiring” of the circuit ⇔ linear constraints 3) evaluation of gates ⇔ quadratic constraints GonRaf19 [2] prove 2) and 3) succinctly for each level of the circuit by slicing it into levels. GonRaf19 is the most efficient NIZK proof for CircuitSat under standard assumptions: proof size O ( n 0 + d ) , where d is the depth of the circuit, n 0 the length of the input. 14/37 14 / 37
Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Trivial approach 2) “correct wiring” of the circuit ⇔ linear constraints 3) evaluation of gates ⇔ quadratic constraints GonRaf19 [2] prove 2) and 3) succinctly for each level of the circuit by slicing it into levels. GonRaf19 is the most efficient NIZK proof for CircuitSat under standard assumptions: proof size O ( n 0 + d ) , where d is the depth of the circuit, n 0 the length of the input. 14/37 14 / 37
Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Techniques from GonRaf19[2] The authors slice the circuit into levels x x x x x x and use shrinking commitments (no-hiding and deterministic) L j to all left wires at level j , and respectively R j , O j to all right, output wires at level j . L 1 , R 1 , O 1 , L 2 , R 2 , O 2 , L 3 , R 3 , O 3 15/37 15 / 37
Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Techniques from GonRaf19[2] Shrinking commitments with key Λ : L 1 = Λ 1 a 1 + Λ 2 a 2 + Λ 3 a 3 , R 1 = Λ 1 b 1 + Λ 2 b 2 + Λ 3 b 3 O 1 = Λ 1 c 1 + Λ 2 c 2 + Λ 3 c 3 L 2 = Λ 1 a 4 + Λ 2 a 5 , R 2 = Λ 1 b 4 + Λ 2 b 5 , . . . There are many possible openings for these commitments at level j . How do we understand soundness in that context? 16/37 16 / 37
Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Techniques from GonRaf19[2] Example: L 2 = Λ 1 a 4 + Λ 2 a 5 many possible openings ( ˆ a 4 , ˆ a 5 ) , but just one fits well with the previous level wires. x x x a 4 a 5 x x x The input fixes the correct output of 1st level gates, ( c 1 , c 2 ) , then just one for possible opening input ( a 4 , a 5 ) = ( c 1 , c 2 ) . Even there are many possible openings for the shrinking commitments at each level j , they should be consistent with the previous layers. 17 / 37 17/37
Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Techniques from GonRaf19[2] x x x x x x x x x → input x x x x x x → input x x x input Once the input is fixed, the knowledge of the input is “transferred” to next levels, level by level, and then all the wires are determined. Linear and quadratic constraints at some level j are proven assuming previous layers were already proven (“the promise”). Soundness is proven under this “promise”. 18 / 37 18/37
Motivation Previous work Main construction Applications and Follow-ups Boolean CircuitSat: Techniques from GonRaf19[2] x x x x x x x x x → input x x x x x x → input x x x input Once the input is fixed, the knowledge of the input is “transferred” to next levels, level by level, and then all the wires are determined. Linear and quadratic constraints at some level j are proven assuming previous layers were already proven (“the promise”). Soundness is proven under this “promise”. 18 / 37 18/37
Recommend
More recommend