Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa,...

Efficient Non-Interactive Zero Knowledge Argumentsfor Set OperationsPrastudy Fauzi, Helger Lipmaa, Bingsheng Zhang

University of Tartu, University of Tartu, University of Athens,

Motivation: Secure Computation

E(x1),…,E(xn)

E(f(x1,…,xn))Ok if (x1,…,xn)S

Add N

IZK

proo

f

pk

Motivation: Secure Computation (2)

E(S)

E(f(S))

E(T)

E(g(T))

Ok if ST

Add N

IZK

proo

f

pk

Proofs for Set Operations

› Encrypted inputs satisfy certain set relations => security against malicious adversaries

› Or even multiset relations

– … ⊎ ¿

¿∪

Non-Interactive Zero-Knowledge Proofs

E(x1),…,E(xn)

Proof of Correctness

Complete Sound Zero-KnowledgeProof can be constructed

without knowing inputs

Contradiction?

pk

Common Reference String Model

E(x1),…

,E(x

n)

Proof of Correctness

pk,

sk

crs

td

Our results

› NIZK proof for one particular multiset operation– (PMSET)

› Applications to other (multi)set operations

› Non-interactive– No random oracle

› Efficient

¿

CRS length Proof length

Prover comp.

Verifier comp.

Θ(|S|) Θ(1) Θ(|S|) Θ(1)

Cryptographic Building Block: Pairings

› Bilinear operation– e(f1+f2,f3) = e(f1,f3) + e(f2,f3)– e(f1,f2+f3) = e(f1,f2) + e(f1,f3)

› With Hardness Assumptions– Given e(f1,f2), it is hard to compute f1– …

› Much wow

Commitments

We use a concrete succinct commitment scheme from 2013

Multiset Commitment

Too costly!

Multiset Commitment

• S => • polynomial that has S as null-set• Including multiplicities

• => • is secret key

Main Idea

¿

¿iff

• Commitments are randomized• Proof = a crib E that compensates for randomness• Enables to perform verification on commitments

Additional Obstacles› Soundness:

– We use knowledge assumptions› Guarantee that prover knows committed values

– Common in succinct NIZK construction– [Gentry Wichs 2011]: also necessary

› Zero Knowledge:– Simulator needs to create proof for given commitments

› Not created by simulator

– We let prover to create new random commitments for all sets› Add a NIZK proof of correctness

– Simulator creates fake commitments› Uses trapdoor to simulate

Applications

› Mostly use very simple set arithmetic

› Is-a-Sub(multi)set:– iff exists C such that

› Is-a-Set:– Multiset A is a set if for universal set U– In many applications, U is small

› Set-Intersection-And-Union:– and iff , , and A, B, and D are sets

› See paper for more…