Signatures of Knowledge for Boolean Circuits under Standard - - PowerPoint PPT Presentation

Signatures of Knowledge for Boolean Circuits under Standard Assumptions

Zaira Pindado Africacrypt, July 2020

Joint work with Karim Baghery, Alonso Gonz´ alez and Carla R` afols

1/37

2/37 Motivation Previous work Main construction Applications and Follow-ups

NIZK proof systems

Non-interactive Zero-Knowledge proof systems allow a party P to prove the verifier V that for a public statement x, she knows a witness w such that ( x, w) ∈ R for some relation R. The proof π consists in just one message. Both parties share the same common reference string (CRS) as public paramters.

P V

CRS, x, w

π

− − − − − − − − − − − → CRS, x

2 / 37

3/37 Motivation Previous work Main construction Applications and Follow-ups

NIZK proof systems

The basic requirements for the security of these proofs are: Completeness if P actually knows the witness, V should accept, Soundness if P does not know a valid witness it cannot convince V, Zero-Knowledge nothing about the witness is leaked from the proof π.

3 / 37

4/37 Motivation Previous work Main construction Applications and Follow-ups

Stronger notions of Soundness

Knowledge Soundness

(Extraction of the witness)

(Unbounded) Simulation Soundness

(Adversary cannot cheat even if it has seen simulated proofs)

           Simulation Extractability

(Knowledge and Simulation)

Extraction is formalized by an extractor of the witness that can be either Blackbox (BB) or non-Black Box (nBB), without (resp. with) access to the code of the adversary. In practice we cannot have access to the adversary code, so we want Simulation BB extractability (UC-security).

4 / 37

5/37 Motivation Previous work Main construction Applications and Follow-ups

NIZK proof systems

Among the many constructions of NIZK proofs there is a trade-off between efficiency, generality and strength of the assumptions used for the security of the proof.

+efficient

• efficient

+strong Succinct Linear Non-falsifiable

zk-SNARKs, [3]

general language Falsifiable

QA-NIZK, [6] GS proofs, [5]

specific language general language

• strong

5 / 37

5/37 Motivation Previous work Main construction Applications and Follow-ups

NIZK proof systems

Among the many constructions of NIZK proofs there is a trade-off between efficiency, generality and strength of the assumptions used for the security of the proof.

+efficient

• efficient

+strong Succinct Linear Non-falsifiable

zk-SNARKs, [3]

general language Falsifiable

QA-NIZK, [6] GS proofs, [5]

specific language general language

• strong

5 / 37

6/37 Motivation Previous work Main construction Applications and Follow-ups

Two recent NIZK proofs for Boolean CircuitSat in between:

Daza et al.[1]: as a commit-and-prove argument is linear in the number of wires for the commitment and succinct in the proof. Gonz´ alezR` afols[2]: for CircuitSat, weaker assumptions, linear in the depth of the circuit for both commitment and proof.

+efficient

• efficient

+strong Succinct Linear Non-falsifiable

zk-SNARKs, [3]

general language

Daza19[1]

general language

GonRaf19[2]

general language Falsifiable

QA-NIZK, [6] GS proofs, [5]

specific language general language

• strong

6 / 37

7/37 Motivation Previous work Main construction Applications and Follow-ups

Our contribution

Main construction: a framework of SE-NIZK arguments with BB extraction for Boolean CircuitSat under falsifiable assumptions. Concrete instantiation of a SE-NIZK. Small overhead respect to previous construction with bare soundness [2] (3 group elements).  

• GrothMaller[4] framework

The first Signature of Knowledge that is UC-secure with same size of the SE-NIZK under falsifiable assumptions.

7 / 37

8/37 Motivation Previous work Main construction Applications and Follow-ups

Outline

1 Previous work 2 Main construction 3 Applications and Follow-ups

8 / 37

9/37 Motivation Previous work Main construction Applications and Follow-ups

Outline

1 Previous work 2 Main construction 3 Applications and Follow-ups

9 / 37

10/37 Motivation Previous work Main construction Applications and Follow-ups

Boolean CircuitSat: Notation

Let φ be a boolean circuit

x x x x x x

• utput

input

where x expresses any binary operation and ai, bi, ci left, right and output wires of gate i

ai

x

bi ci

10 / 37

11/37 Motivation Previous work Main construction Applications and Follow-ups

Boolean CircuitSat: Trivial approach

An argument of knowledge for satisfiability of φ can be divided into three sub-arguments: 1) an argument of knowledge of a boolean input c0

x x x x x x

c0 = ( a1 , b1 , a2 , b2 , a3 , b3 )

11 / 37

12/37 Motivation Previous work Main construction Applications and Follow-ups

Boolean CircuitSat: Trivial approach

An argument of knowledge for satisfiability of φ can be divided into three sub-arguments: 1) an argument of knowledge of some boolean input 2) an argument that proves the “correct wiring” of the circuit, i.e. ai, bi consistent with c

x x x x x x

c1 = a4 c4 = a6 b6=c5 b5=c3 b4= =a4 c2 c6 a1 b1 a2 b2 a3 b3

12 / 37

13/37 Motivation Previous work Main construction Applications and Follow-ups

Boolean CircuitSat: Trivial approach

An argument of knowledge for satisfiability of φ can be divided into three sub-arguments: 1) an argument of knowledge of some boolean input 2) an argument that proves the “correct wiring” of the circuit, i.e. all ai, bi consistent with c 3) an argument that proves quadratic constraints, i.e. the correct evaluation of all gates i

NAND

AND OR XOR OR NAND

13 / 37

14/37 Motivation Previous work Main construction Applications and Follow-ups

Boolean CircuitSat: Trivial approach 2) “correct wiring” of the circuit ⇔ linear constraints 3) evaluation of gates ⇔ quadratic constraints GonRaf19 [2] prove 2) and 3) succinctly for each level of the circuit by slicing it into levels. GonRaf19 is the most efficient NIZK proof for CircuitSat under standard assumptions: proof size O(n0 + d), where d is the depth

• f the circuit, n0 the length of the input.

14 / 37

14/37 Motivation Previous work Main construction Applications and Follow-ups

Boolean CircuitSat: Trivial approach 2) “correct wiring” of the circuit ⇔ linear constraints 3) evaluation of gates ⇔ quadratic constraints GonRaf19 [2] prove 2) and 3) succinctly for each level of the circuit by slicing it into levels. GonRaf19 is the most efficient NIZK proof for CircuitSat under standard assumptions: proof size O(n0 + d), where d is the depth

• f the circuit, n0 the length of the input.

14 / 37

15/37 Motivation Previous work Main construction Applications and Follow-ups

Boolean CircuitSat: Techniques from GonRaf19[2]

The authors slice the circuit into levels

x x x x x x

and use shrinking commitments (no-hiding and deterministic) Lj to all left wires at level j, and respectively Rj, Oj to all right,

• utput wires at level j.

L1, R1, O1, L2, R2, O2, L3, R3, O3

15 / 37

16/37 Motivation Previous work Main construction Applications and Follow-ups

Boolean CircuitSat: Techniques from GonRaf19[2]

Shrinking commitments with key Λ: L1 = Λ1a1 + Λ2a2 + Λ3a3, R1 = Λ1b1 + Λ2b2 + Λ3b3 O1 = Λ1c1 + Λ2c2 + Λ3c3 L2 = Λ1a4 + Λ2a5, R2 = Λ1b4 + Λ2b5, . . . There are many possible openings for these commitments at level

• j. How do we understand soundness in that context?

16 / 37

17/37 Motivation Previous work Main construction Applications and Follow-ups

Boolean CircuitSat: Techniques from GonRaf19[2]

Example: L2 = Λ1a4 + Λ2a5 many possible openings ( ˆ a4, ˆ a5), but just one fits well with the previous level wires.

x x x x x x

a4 a5

input

The input fixes the correct

• utput of 1st level gates,

(c1, c2), then just one for possible opening (a4, a5) = (c1, c2). Even there are many possible openings for the shrinking commitments at each level j, they should be consistent with the previous layers.

17 / 37

18/37 Motivation Previous work Main construction Applications and Follow-ups

Boolean CircuitSat: Techniques from GonRaf19[2]

input

x x x x x x

→

input

x x x x x x

18/37 Motivation Previous work Main construction Applications and Follow-ups

Boolean CircuitSat: Techniques from GonRaf19[2]

input

x x x x x x

→

input

x x x x x x

19/37 Motivation Previous work Main construction Applications and Follow-ups

Boolean CircuitSat: Techniques from GonRaf19[2]

Example at level j = 3 of the linear promise problem: 2’) Given (c1 ,c2 ) openings of O1,O2, the argument shows that L3 (resp. R3) can be opened to some a3 (resp. b3) with the correct linear relation to (c1 ,c2 ),

c2=(c4,c5) c

x x x x x x

= a

6

b

6

c

1

c

2

c

2

c

3

c

5

c

4 1=(c1,c2,c3)

=

a3=(a6) b3=(b6)

20/37 Motivation Previous work Main construction Applications and Follow-ups

Boolean CircuitSat: Techniques from GonRaf19[2]

Example at level j = 3 of the quadratic promise problem: 3’) Given (a3, b3), openings of of L3 and R3, the linear argument shows that O3 can be opened to some c3 that is in the correct correct quadratic relation.

a3=(a6)

x x x x x x

a

6

b

6

c6

b3=(b6)

c6= a6 b

x

6

c3=(c6)

21/37 Motivation Previous work Main construction Applications and Follow-ups

Boolean CircuitSat: Techniques from GonRaf19[2]

2’) argument that assumes correct wiring until level j − 1 and proves correct wiring at level j. Note it can be proven at once (for all level and both sides, right and left) with the appropriate matrix. 3’) one argument for each level (d argument for the whole proof) that assumes correct opening of left, right wires and proves the evaluation of all gates at level j.

21 / 37

22/37 Motivation Previous work Main construction Applications and Follow-ups

Construction of GonRaf19[2] for Boolean CircuitSat

1) Proof of knowledge of the input and the input is boolean, 2’) Linear Knowledge Transfer Argument for linear constraints: QA-NIZK for membership in linear spaces of Kiltz and Wee [7], 3’) Quadratic Knowledge Transfer Argument under the quadratic promise problem. Arguments 2’) and 3’) are complete and sound with standard assumptions if the promise problem holds. In the global argument for boolean CircuitSat, at some level j the promise holds from the knowledge of the input and the knowledge transfer arguments of previous levels 0, . . . , j − 1 already proven.

22 / 37

22/37 Motivation Previous work Main construction Applications and Follow-ups

Construction of GonRaf19[2] for Boolean CircuitSat

1) Proof of knowledge of the input and the input is boolean, 2’) Linear Knowledge Transfer Argument for linear constraints: QA-NIZK for membership in linear spaces of Kiltz and Wee [7], 3’) Quadratic Knowledge Transfer Argument under the quadratic promise problem. Arguments 2’) and 3’) are complete and sound with standard assumptions if the promise problem holds. In the global argument for boolean CircuitSat, at some level j the promise holds from the knowledge of the input and the knowledge transfer arguments of previous levels 0, . . . , j − 1 already proven.

22 / 37

22/37 Motivation Previous work Main construction Applications and Follow-ups

Construction of GonRaf19[2] for Boolean CircuitSat

1) Proof of knowledge of the input and the input is boolean, 2’) Linear Knowledge Transfer Argument for linear constraints: QA-NIZK for membership in linear spaces of Kiltz and Wee [7], 3’) Quadratic Knowledge Transfer Argument under the quadratic promise problem. Arguments 2’) and 3’) are complete and sound with standard assumptions if the promise problem holds. In the global argument for boolean CircuitSat, at some level j the promise holds from the knowledge of the input and the knowledge transfer arguments of previous levels 0, . . . , j − 1 already proven.

22 / 37

23/37 Motivation Previous work Main construction Applications and Follow-ups

Zero-Knowledge in GonRaf19[2]

Zero-Knowledge is achieved by Groth Sahai proofs: committing the shrinking commitments of left, right, output wires with GS commitments, which make them deterministic, [zL]1 = ComGS([L]1), [zR]2 = ComGS([R]2), [zO]1 = ComGS([O]1), where L = (L1, . . . , Ld), R = (R1, . . . , Rd), O = (O1, . . . , Od). giving the corresponding GS proofs for the quadratic constraints with [zL]1, [zR]2, [zO]1.

23 / 37

24/37 Motivation Previous work Main construction Applications and Follow-ups

Outline

1 Previous work 2 Main construction 3 Applications and Follow-ups

24 / 37

25/37 Motivation Previous work Main construction Applications and Follow-ups

Our goal: SE NIZK for Boolean CircuitSat under falsifiable assumptions

There exist generic solutions like the “OR strategy” where given some circuit φ and a public input xp, either the circuit is satisfiable

• r a signature of M = (φ,

xp) is known, where the simulator uses as a trapdoor the secret key of the signature. However this approach is too costly (around 20 group elements) and it changes the relation.

25 / 37

25/37 Motivation Previous work Main construction Applications and Follow-ups

Our goal: SE NIZK for Boolean CircuitSat under falsifiable assumptions

There exist generic solutions like the “OR strategy” where given some circuit φ and a public input xp, either the circuit is satisfiable

• r a signature of M = (φ,

xp) is known, where the simulator uses as a trapdoor the secret key of the signature. However this approach is too costly (around 20 group elements) and it changes the relation.

25 / 37

26/37 Motivation Previous work Main construction Applications and Follow-ups

Our goal: SE NIZK for Boolean CircuitSat under falsifiable assumptions

We observe that a simulator who computes fake proofs of satisfiability just needs to lie either about linear constraints or quadratic constraints.

• It is enough that the simulator lies in the last gate, for the linear

constraint. x x x x x x

The simulator just needs the trapdoor for the linear argument 2’). 26 / 37

26/37 Motivation Previous work Main construction Applications and Follow-ups

Our goal: SE NIZK for Boolean CircuitSat under falsifiable assumptions

We observe that a simulator who computes fake proofs of satisfiability just needs to lie either about linear constraints or quadratic constraints.

• It is enough that the simulator lies in the last gate, for the linear

constraint. x x x x x x

The simulator just needs the trapdoor for the linear argument 2’). 26 / 37

27/37 Motivation Previous work Main construction Applications and Follow-ups

Our Simulator

x

a

n

b

n

c

n

evaluates the circuit honestly

x x x x x x

Receives public input xp Completes the input with zeros changes the last gate values: an, bn arbitrary cn = an bn

x

xp

28/37 Motivation Previous work Main construction Applications and Follow-ups

Our main construction

We take as starting point the construction, GonRaf19[2] and we Replace the linear argument 2’) by an Unbounded Simulation Sound (USS) Argument for linear spaces under the same linear promise problem. Use the simulator that lies in the last gate. We obtain the whole construction is USS. The USS property is the strongest Simulation Soundness property, where the adversary has seen any number of simulated proofs.

28 / 37

28/37 Motivation Previous work Main construction Applications and Follow-ups

Our main construction

We take as starting point the construction, GonRaf19[2] and we Replace the linear argument 2’) by an Unbounded Simulation Sound (USS) Argument for linear spaces under the same linear promise problem. Use the simulator that lies in the last gate. We obtain the whole construction is USS. The USS property is the strongest Simulation Soundness property, where the adversary has seen any number of simulated proofs.

28 / 37

29/37 Motivation Previous work Main construction Applications and Follow-ups

Our main construction

We give a general Unbounded Simulation Extractable Quasi-Adaptive NIZK (USES QA-NIZK) that consists in the following sub-proofs: 1) Proof of knowledge of the input, to prove that some BB extractable commitments to integers open to binary values, 2’) USS Argument for linear spaces under the same linear promise problem, 3’) Quadratic Knowledge Transfer Argument of [2] with GS commitments and corresponding GS proofs. The BB extraction of the input and the fact the circuit is public, gives us BB extraction of the whole witness.

29 / 37

30/37 Motivation Previous work Main construction Applications and Follow-ups

Concrete USES QA-NIZK for Boolean CircuitSat

We give a concrete USES QA-NIZK: 1) We take the bitstring argument of Daza et al.[1], that allows us to prove with quadratic equations the input is boolean. It is BB extractable since the commitments are ElGamal cyphertexts of 0 or 1. 2’) We prove the most efficient USS argument for linear spaces, the USS QA-NIZK of KiltzWee[7], is still USS under the same linear promise problem. 3’) same as [4]

30 / 37

31/37 Motivation Previous work Main construction Applications and Follow-ups

Outline

1 Previous work 2 Main construction 3 Applications and Follow-ups

31 / 37

32/37 Motivation Previous work Main construction Applications and Follow-ups

Application: Signature of Knowledge

We apply straightforward the framework of GrothMaller [4] to our USES QA-NIZK Our USES QA-NIZK (BB extractability ) + universal one-way hash function ⇒ UC secure Signature of Knowledge for boolean CircuitSat based

• n falsifiable assumptions in bilinear groups

32 / 37

33/37 Motivation Previous work Main construction Applications and Follow-ups

Generalization of our techniques

Our observation of adding simulation soundness to NIZK arguments that proves both quadratic and linear equations by just adding simulation soundness in the linear part, can be extended to all constructions that have this structure. Since our construction is blackbox in the reduction of the sub-proofs reductions, giving a concrete tight linear sub-proof would give tightness in the whole reduction.

33 / 37

34/37 Motivation Previous work Main construction Applications and Follow-ups

Follow-ups

Full version of this work: Tight construction of our framework from a USS QA-NIZK for linear spaces. Future work: Improve our SoK that is constructed using a generic transformation

34 / 37

35/37 References

References

• V. Daza, A. Gonz´

alez, Z. Pindado, C. R` afols, and J. Silva. Shorter quadratic QA-NIZK proofs. In D. Lin and K. Sako, editors, PKC 2019, Part I, volume 11442 of LNCS, pages 314–343. Springer, Heidelberg, Apr. 2019.

• A. Gonz´

alez and C. R` afols. Shorter pairing-based arguments under standard assumptions. In S. D. Galbraith and S. Moriai, editors, ASIACRYPT 2019, Part III, volume 11923 of LNCS, pages 728–757. Springer, Heidelberg, Dec. 2019.

35 / 37

36/37 References

• J. Groth.

On the size of pairing-based non-interactive arguments. In M. Fischlin and J.-S. Coron, editors, EUROCRYPT 2016, Part II, volume 9666 of LNCS, pages 305–326. Springer, Heidelberg, May 2016.

• J. Groth and M. Maller.

Snarky signatures: Minimal signatures of knowledge from simulation-extractable SNARKs. In J. Katz and H. Shacham, editors, CRYPTO 2017, Part II, volume 10402 of LNCS, pages 581–612. Springer, Heidelberg,

• Aug. 2017.
• J. Groth and A. Sahai.

Efficient non-interactive proof systems for bilinear groups. In N. P. Smart, editor, EUROCRYPT 2008, volume 4965 of LNCS, pages 415–432. Springer, Heidelberg, Apr. 2008.

36 / 37

37/37 References

• C. S. Jutla and A. Roy.

Shorter quasi-adaptive NIZK proofs for linear subspaces. In K. Sako and P. Sarkar, editors, ASIACRYPT 2013, Part I, volume 8269 of LNCS, pages 1–20. Springer, Heidelberg, Dec. 2013.

• E. Kiltz and H. Wee.

Quasi-adaptive NIZK for linear subspaces revisited. In E. Oswald and M. Fischlin, editors, EUROCRYPT 2015, Part II, volume 9057 of LNCS, pages 101–128. Springer, Heidelberg, Apr. 2015.

37 / 37