Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs
Jens Groth
University College London
Non-interactive zero-knowledge proof
Prover VerifierSoundness:Statement is true
Zero-knowledge:Nothing but truth revealed
Statement: xL
Proof:
(x,w)RL
Common reference string:0100âŚ11010
Non-interactive zero-knowledge proofs
⢠Statement C is satisfiable circuit⢠Perfect completeness⢠Statistical soundness⢠Computational zero-knowledge
⢠Uniformly random common reference string⢠Efficient prover â probabilistic polynomial time⢠Deterministic polynomial time verifier
Adaptive soundness:Adversary sees CRS before attempting to cheat with false (C,)
Our results
⢠Security level: 2-k
⢠Trapdoor perm size: kT = poly(k)
⢠Circuit size: |C| = poly(k)⢠Witness size: |w| |C|
CRS in bits Proof in bits Assumption
Kilian-Petrank |C|âkTâkâ(log k) |C|âkTâkâ(log k) Trapdoor perms
This talk |C|âkTâpolylog(k) |C|âkTâpolylog(k) Trapdoor perms
CRS in bits Proof in bits Assumption
Gentry poly(k) |w|âpoly(k) Lattice-based + NIZK
G-Ostrovsky-Sahai k3/polylog(k) |C|âk3/polylog(k) Pairing-based
This talk |C|âpolylog(k) |C|âpolylog(k) Naccache-Stern
Other work poly(k) |w| + poly(k) FHE + NIZK
Encrypted random bits
Statement: xL
CRS(x,w)RL
01...0
11âŚ1
00âŚ1
10âŚ0K(1k) (pk,sk)
c1
c2
c3
c4
Epk(0;r1)
Epk(1;r2)
Epk(0;r3)
Epk(1;r4)
c1
1 ; r2
c3
0 ; r4
Hidden random string - soundness
Statement: xL
(x,w)RL0
1
0
1
Hidden random string â zero-knowledge
Statement: xL
0
1
Using hidden random bits for NIZK
⢠Random bits not useful; need bits with structure⢠Use statistical sampling to get âgoodâ blocks
10
11
00
01
Probably hidden pairs
are 00 and 11
Statements
|| = O(|C|)
Idea in Kilian-Petrank
⢠Interpret pairs of bits as truth valuesâ T = {01,10} F = {00,11}
10
11
00
01
T
F
F
T
?0
1?
0?
?1
Zero-knowledge:Does ?1 correspond to T = 01 or F = 11?
Soundness:F can only be opened one way
Completeness:T can be opened as 0 or 1
T F F
Completeness
Reveal: ?0 1? ?1 = 0
10 11 11
Soundness
⢠If not a satisfying assignment there is a clause where all literals are falseâ x1 x2 x3 gives F F F
⢠There is 50% chance to catch a cheating proverâ 11, 00, 00 has no opening to XOR = 0 so prover caughtâ 11, 00, 11 can be opened to XOR = 0 so prover lucky
⢠Will use repetition to decrease proverâs chance
Consistency problem
⢠Cannot let prover designate truth-value pairs to literals because a cheating prover might choose an inconsistent assignment
⢠Need to ensure prover chooses correct and consistent assignment
Consistency
⢠Interpret 12-blocks of bits as 6 truth valuesâ Good block = TTTFFF or FFFTTT
TTTFFF
FTFTFF
FFFTTT
FTFFTF
I see many bad blocks. Statistically
the remaining hidden blocks are good.
Consistency
⢠Divide hidden random bit-string into 12-bit blocks⢠Call a block of 6 truth-value pairs for good if it is of
one of these two formsTTTFFF or FFFTTT
⢠Prover reveals all bits associated with bad blocks such that only good blocks remain
Using blocks
⢠Remaining good blocks
TTT FFF
FFF TTT
FFF TTT
TTT FFF
x1 = Fx2 = Tx3 = Fx4 = F
TT? FFF
FF? TTT
FFF TT?
TT? FFF
10? 011
01? 110
111 10?
01? 110
Unrevealed bit-pair shows positive/negative
literals for variable
Positive literalsNegative literals
Using blocks
⢠After discarding bad blocks the remaining hidden blocks are statistically speaking mostly good
⢠We assign each block to a variable xi in a deterministic way
⢠Each block has 6 truth-values TTTFFF or FFFTTTâ If xi = T reveal 5 bits in TTTFF? or FF?TTT
â If xi = F reveal 5 bits in TT?FFF or FFFTT?
â Revelations correspond to 5 appearances xi, xi, xi, xi, xi
⢠The last unrevealed truth-value uniquely determines the assignment of truth-values to literals
⢠The verifier now checks all clauses XOR to 0
Soundness
⢠The prover has several degrees of freedomâ Can choose which false statement to proveâ Can choose the public key for the encryption scheme,
each one of which will give different hidden random bitsâ Can choose the truth-value assignmentâ May leave a few bad blocks unrevealed
⢠Use repetition to lower risk of cheatingâ Instead of revealing single bits for each literal we will
reveal several bit-strings and in each clause all bit-strings most XOR to 0
⢠Statistical analysis shows with sufficient repetition a prover has negligible chance of cheating
Two new techniques
⢠More efficient use of hidden random bitsâ Kilian-Petrank: |C|âkâ(log(k)) hidden random bitsâ This work: |C|âpolylog(k) hidden random bits
⢠More efficient implementation of hidden bitsâ Trapdoor permutations:
kT = poly(k) bits per hidden random bit
â Naccache-Stern encryption:O(log k) bits per hidden random bit
Traditional proofs
Statement: xL
(x,w)RL
Proof:The statement is true because bla bla bla bla bla bla bla bla. QED
Iâd better read it very
carefully
Probabilistically checkable proofs
Statement: xL
(x,w)RL
Proof:The statement is true because bla bla bla bla bla bla bla bla. QED
Ok, let me spot check in random
places
Satisfiability of 3SAT5 formula
Satisfiability of gap-3SAT5 formula
Witness-preserving assignment tester
⢠Polynomial time algorithms f, fw:
f: C belongs to gap-3SAT5fw: w x if C(w)=1 then (x)=1
⢠With the most efficient probabilistically checkable proofs (Dinur 07 combined with BenSasson-Sudan 08) we have || = |C| polylog(k)
Strategy
⢠Want to prove C is satisfiable⢠Compute = f(C) and prove that it is satisfiable
using Kilian-Petrank techniques from before⢠With the most efficient assignment testers we
have || = |C| polylog(k) so statement is larger⢠However, since allows for a constant fraction of
âerrorsâ less repetition is needed to make the overall soundness error negligible
⢠It is ok if the prover cheats on some clauses as long as cannot cheat on a constant fraction
Remarks
⢠Probabilistically checkable proofs have been used in interactive zero-knowledge proofsâ Prover commits to PCPâ Verifier chooses at random some parts to checkâ Prover opens and reveals those parts of the PCP
⢠We are using PCPs in a different wayâ The verifier will check all parts of the PCPâ The checks have a small error probabilityâ But unlikely that prover can cheat on a constant fraction
Implementing the hidden random bits model
Statement: xL
CRS(x,w)RL
01...0
11âŚ1
00âŚ1
10âŚ0K(1k) (pk,sk)
c1
c2
c3
c4
Epk(0;r1)
Epk(1;r2)
Epk(0;r3)
Epk(1;r4)
c1
1 ; r2
c3
0 ; r4
Naccache-Stern encryption
⢠pk = (M,P,g) sk = (M)â M is an RSA modulus
â P = p1p2âŚpd where p1,âŚ,pd are O(log k) bit primes
â P | ord(g) = (M)/4 and |P| = (|M|)
⢠Epk(m;r) = gmrP mod M
⢠Dsk(c): For each pi compute m mod pi
c(M)/pi = (gmrP)(M)/pi = (gm(M)/pi)(r(M)P/pi) = (g(M)/pi)m
Chinese remainder gives us m mod P
Naccache-Stern implementation of hidden bits
Statement: xL
CRS(x,w)RL
01...0
11âŚ1
00âŚ1
10âŚ0K(1k) (pk,sk)
c1
c2
c3
c4
Epk(010;r1)
Epk(101;r2)
Epk(011;r3)
Epk(110;r4)
?1? ; 1
10? ; 2
??1 ; 3
??? ; 4
0 if m mod pi even1 if m mod pi odd if m mod pi is -1
Revealing part of Naccache-Stern plaintext
⢠Ciphertext c = gmrP
⢠How to prove that m = x mod pi?
⢠Prover reveals such that P = (cg-x)P/pi
⢠We can raise both sides to (M)/P⢠Gives us (M) = (gm-xrP)(M)/pi = (g(M)/pi)m-x ⢠Implies 1 = (g(M)/pi)m-x
⢠Since the order of (g(M)/pi) is pi this shows m = x mod pi
Revealing part of Naccache-Stern plaintext
⢠Ciphertext c = gmrP
⢠How to prove that m = x mod pi?
⢠Prover reveals such that P = (cg-x)P/pi
⢠Can compute the proof as = (cg-x)(P-1 mod (M)/P)P/pi
⢠Can randomize proof by multiplying with s(M)/P
⢠Generalizes to reveal m = x mod iSpi with a proof consisting of one group element
Zero-knowledge
⢠Simulator sets up pk = (M,P,g) such that ord(g) = (M)/4P and g = hP mod M
⢠Simulator also sets up the CRS such that it contains ciphertexts of the form c = sP mod M
⢠For any m ZP we can compute r = h-ms mod M such that
sP = gm(g-m)sP = gmh-mPsP = gmrP mod M⢠This means the simulator can open each
ciphertext to arbitrary hidden bits using = r
Final step â showing the key is valid
⢠The public key is pk = (M,P,g)
⢠The verifier can easily check P is a product of small primes p1,âŚ,pd
⢠But needs to be convinced M and g are ok
⢠Can do this with trapdoor permutation based NIZKâ Statement is small so it does not affect total cost
â Trapdoor permutations implied by Naccache-Stern
⢠So we use a small seeder NIZK to build large scale NIZK from Naccache-Stern encryption
Summary
⢠Technique 1: Reduce soundness error with probabilistically checkable proofs
⢠Technique 2: Implement hidden random bit string with Naccache-Stern encryption
Hidden bits Proof in bits Assumption
Kilian-Petrank |C|âkTâkâ(log k) |C|âkTâkâ(log k) Trapdoor perms
This work |C|âkTâpolylog(k) |C|âkTâpolylog(k) Trapdoor perms
CRS in bits Proof in bits Assumption
Gentry poly(k) |w|âpoly(k) Lattice-based + NIZK
G-Ostrovsky-Sahai k3/polylog(k) |C|âk3/polylog(k) Pairing-based
This talk |C|âpolylog(k) |C|âpolylog(k) Naccache-Stern
Other work poly(k) |w| + poly(k) FHE + NIZK