Multi-Theorem Preprocessing NIZKs from Lattices

Size: px

Start display at page:

Download "Multi-Theorem Preprocessing NIZKs from Lattices"

Nancy Dawson
5 years ago
Views:

1 Multi-Theorem Preprocessing NIZKs from Lattices Sam Kim and David J. Wu Stanford University

2 Soundness: x L, P Pr P, V (x) = accept = 0 No prover can convince honest verifier of false statement Proof Systems and Argument Systems [GMR85] x 0,1 NP language L 0,1 accept if x L prover verifier Completeness: x L Pr P, V (x) = accept = 1 Honest prover convinces honest verifier of true statements

3 Soundness: x L, P Pr P, V x = accept = 0 No prover can convince honest verifier of false statement Proof Systems and Argument Systems [GMR85] x 0,1 NP language L 0,1 accept if x L prover verifier In an argument system, we relax soundness to only consider computationally-bounded (i.e., polynomial-time) provers P Completeness: x L Pr P, V (x) = accept = 1 Honest prover convinces honest verifier of true statements

4 Zero-Knowledge Proofs for NP NP language L 0,1 [GMR85] P, V x c S(x) real distribution ideal distribution Zero-Knowledge: for all efficient verifiers V, there exists an efficient simulator S such that: x L P, V x c S(x)

5 Non-Interactive Zero-Knowledge (NIZK) Proofs NP language L 0,1 [BFM88] π c S(x) real distribution ideal distribution In the standard model, this is only achievable for languages L BPP

6 Which Assumptions give NIZKs for NP? σ σ π π prover Random Oracle Model [FS86, PS96] verifier prover verifier Common Reference String (CRS) Model Quadratic Residuosity [BFM88, DMP87, BDMP91] Trapdoor Permutations [FLS90, DDO+01, Gro10] Pairings [GOS06] Indistinguishability Obfuscation + OWFs [SW14]

7 Which Assumptions give NIZKs for NP? π Several major classes of assumptions missing: Discrete-log based assumptions (e.g., CDH, DDH) Lattice-based assumptions (e.g., SIS, LWE) prover Random Oracle Model [FS86, PS96] verifier Common Reference String (CRS) Model Quadratic Residuosity [BFM88, DMP87, BDMP91] Trapdoor Permutations [FLS90, DDO+01, Gro10] Pairings [GOS06] Indistinguishability Obfuscation + OWFs [SW14]

8 Which Assumptions give NIZKs for NP? π Several major classes of assumptions missing: Discrete-log based assumptions (e.g., CDH, DDH) Lattice-based assumptions (e.g., SIS, LWE) prover Random Oracle Model [FS86, PS96] verifier Common Reference String (CRS) Model Quadratic Residuosity [BFM88, DMP87, BDMP91] Trapdoor Permutations [FLS90, DDO+01, Gro10] Pairings [GOS06] Indistinguishability Obfuscation + OWFs [SW14]

9 NIZKs in the Preprocessing Model (Trusted) setup algorithm generates both proving key k P and a verification key k V [DMP88] k P k V prover π = Prove(k P, x, w) Prover algorithm takes proving key k P, NP statement x, and NP witness w verifier Verify(k V, x, π)

10 NIZKs in the Preprocessing Model [DMP88] k P k V π = Prove(k P, x, w) Simpler model than CRS model: Soundness holds assuming k V is hidden Zero-knowledge holds assuming k P is hidden If only k V is private (i.e., k P is public), then the NIZK is designated-verifier

11 NIZKs in the Preprocessing Model [DMP88] k P k V Preprocessing NIZKs One-Way Functions [DMP88, LS90, Dam92, IKOS09] Oblivious Transfer [KMO89] π = Prove(k P, x, w) Simpler model than CRS model: Soundness holds assuming k V is hidden Zero-knowledge holds assuming k P is hidden Designated-Verifier NIZKs Additively-homomorphic encryption [CD04, DFN06, CG15]

12 NIZKs in the Preprocessing Model [DMP88] k P k V Preprocessing NIZKs One-Way Functions [DMP88, LS90, Dam92, IKOS09] Oblivious Transfer [KMO89] π = Prove(k P, x, w) Designated-Verifier NIZKs Additively-homomorphic encryption [CD04, DFN06, CG15] Existing constructions only provide bounded-theorem soundness or bounded-theorem zero-knowledge

13 NIZKs in the Preprocessing Model [DMP88] Bounded-theorem soundness: Soundness holds in a setting where prover can see verifier s response on an a priori bounded number of queries verifier rejection problem Bounded-theorem zero-knowledge: Zero-knowledge holds in a setting where verifier can see proofs on an a priori bounded number of statements Preprocessing NIZKs One-Way Functions [DMP88, LS90, Dam92, IKOS09] Oblivious Transfer [KMO89] Designated-Verifier NIZKs Additively-homomorphic encryption [CD04, DFN06, CG15] Existing constructions only provide bounded-theorem soundness or bounded-theorem zero-knowledge

14 NIZKs in the Preprocessing Model [DMP88] Only known constructions of multi-theorem NIZKs in the preprocessing model are those in the CRS model Can we realize multi-theorem NIZKs in the preprocessing model from standard lattice assumptions? Hope: Preprocessing NIZKs is a stepping stone towards NIZKs from standard lattice assumptions

15 Our Results Can we realize multi-theorem NIZKs in the preprocessing model from standard lattice assumptions? First multi-theorem preprocessing NIZK from LWE (in fact, a designated-prover NIZK) Preprocessing step can be efficiently implemented using OT Several new MPC protocols from lattices: Succinct version of GMW compiler from lattices Two-round, succinct MPC from lattices in a reusable preprocessing model

16 Starting Point: Homomorphic Signatures [BF11, GVW15, ABC+15] ] x sk x σ x σ x is a signature on x with respect to a verification key vk x σ x public operation f(x) σf,f(x) σ f,f(x) is a signature on f(x) with respect to the function f and the verification key vk Homomorphic signatures enable computations on signed data

(One-Time) Unforgeability: vk x sk σ x σ x Sign(sk, x) Adversary wins if σ f,y is a valid

17 Starting Point: Homomorphic Signatures [BF11, GVW15, ABC+15] x σ x public operation f(x) σf,f(x) σ f,f(x) is a signature on f(x) with respect to the function f and the verification key vk ] (One-Time) Unforgeability: vk x sk σ x σ x Sign(sk, x) Adversary wins if σ f,y is a valid signature on y with respect to function f, but y f(x) y σ f,y Unforgeable if no efficient adversary can win

18 Starting Point: Homomorphic Signatures [BF11, GVW15, ABC+15] x σ x public operation f(x) σf,f(x) σ f,f(x) is a signature on f(x) with respect to the function f and the verification key vk ] Context-Hiding: x σ x sk f, f(x) Looks like a zeroknowledge property! f(x) σf,f(x) c f(x) σf,f(x) σ f,f(x) hides the original input x (up to what is revealed by f, f(x)) real distribution ideal distribution [Generalizes to multiple signatures]

19 Homomorphic Signatures to Preprocessing NIZKs w σw Suppose prover has a signature on w Prover evaluates function R x w = R(x, w) R x (w) σrx,1 prover x, w verifier x Goal: Convince verifier that there exists w such that R x, w = 1

20 Homomorphic Signatures to Preprocessing NIZKs w σw Suppose prover has a signature on w Prover evaluates function R x w = R(x, w) R x (w) σrx,1 prover x, w verifier x Verifier checks that σ Rx,1 is a signature on 1 with respect to function R x

21 Homomorphic Signatures to Preprocessing NIZKs w σw Suppose prover has a signature on w Prover evaluates function R x w = R(x, w) R x (w) σrx,1 Soundness: Follows from unforgeability; if verifier accepts, then σ Rx,1 is a signature on 1 with respect to function R x, but R x w = 0

22 Homomorphic Signatures to Preprocessing NIZKs w σw Suppose prover has a signature on w Prover evaluates function R x w = R(x, w) R x (w) σrx,1 Zero-Knowledge: Follows from context-hiding; signature σ Rx,1 can be simulated given sk, R x and R x w = 1

23 Homomorphic Signatures to Preprocessing NIZKs w σw Suppose prover has a signature on w Prover evaluates function R x w = R(x, w) R x (w) σrx,1 Problem: Prover needs signature on w, which depends on the statement being proven (cannot be generated in preprocessing phase)

24 Homomorphic Signatures to Preprocessing NIZKs k σ k Prover is given signature on an encryption key (unknown to the verifier) Solution: Add one layer of indirection!

25 Homomorphic Signatures to Preprocessing NIZKs k σ k Prover is given signature on an encryption key C(unknown x,ct k = Rto x, the Decrypt verifier) k, ct [Checks that ct encrypts a valid witness] w k C x,ct (k) σcx,ct,1 ct Encrypt(k, w) [ct is an encryption of the witness w] Solution: Add one layer of indirection!

26 Homomorphic Signatures to Preprocessing NIZKs k σ k Prover is given signature on an encryption key C(unknown x,ct k = Rto x, the Decrypt verifier) k, ct [Checks that ct encrypts a valid witness] w k C x,ct (k) σcx,ct,1 ct Encrypt(k, w) [ct is an encryption of the witness w] Verifier checks that σ Cx,ct,1 is a signature on 1 with respect to function C x,ct

27 Homomorphic Signatures to Preprocessing NIZKs k σ k Prover is given signature on an encryption key C(unknown x,ct k = Rto x, the Decrypt verifier) k, ct [Checks that ct encrypts a valid witness] w k C x,ct (k) σcx,ct,1 ct Encrypt(k, w) [ct is an encryption of the witness w] Soundness: Follows from unforgeability; if verifier accepts, then σ Cx,ct,1 is a signature on 1 with respect to function C x,ct, but C x,ct k = 0 for all k

28 Homomorphic Signatures to Preprocessing NIZKs k σ k Prover is given signature on an encryption key C(unknown x,ct k = Rto x, the Decrypt verifier) k, ct [Checks that ct encrypts a valid witness] w k C x,ct (k) σcx,ct,1 ct Encrypt(k, w) [ct is an encryption of the witness w] Zero-Knowledge: Follows from context-hiding and semantic security; signature σ Cx,ct,1 can be simulated given sk, C x,ct and C x,ct k = 1 and so, ct hides w

29 Homomorphic Signatures to Preprocessing NIZKs (also publishes vk) k σ k k P π = Prove(k P, x, w) Designated-prover NIZK from context-hiding homomorphic signatures Verify(vk, x, π)

30 Homomorphic Signatures to Preprocessing NIZKs (also publishes vk) k σ k k P π = Prove(k P, x, w) Can instantiate context-hiding homomorphic signatures with lattice-based scheme from [GVW15] [Need some additional properties, but [GVW15] satisfies all properties with some modification] Designated-prover NIZK from context-hiding homomorphic signatures Verify(vk, x, π)

31 Homomorphic Signatures to Preprocessing NIZKs k σ k w Prover is given signature on an encryption key (unknown to the verifier) Homomorphic signatures: unforgeability against computationallybounded adversaries; yields NIZK argument C x,ct (k) σcx,ct,1 Homomorphic commitments: k unforgeability holds against unbounded adversaries; yields NIZK proof Unclear how to implement preprocessing efficiently, so focus will be on homomorphic signature construction Soundness: Follows from unforgeability; if verifier accepts, then σ Cx,ct,1 is a signature on 1 with respect to function C x,ct, but C x,ct k = 0 for all k

32 Constructing Homomorphic Signatures [GVW15] x x 1 x 2 x l Message space: will sign message bit-by-bit Verification key: A Z q n m target matrix for each bit of message: B 1 Z q n m B l Z q n m gadget matrix G Z q n m Signing key: T A Z q m m Trapdoor T A allows sampling short R Z q m m such that AR = B for any B Z q n m [T A is an SIS trapdoor for A]

33 Constructing Homomorphic Signatures [GVW15] x x 1 x 2 x l Message space: will sign message bit-by-bit Verification key: A, B 1,, B l, G Z q n m Signing key: T A Z q m m Sign message x bit-by-bit: A x 1 G B 1 R 1 Signature on x 1 is short R 1 that satisfy this relation (computed using trapdoor T A )

34 Constructing Homomorphic Signatures [GVW15] x x 1 x 2 x l Message space: will sign message bit-by-bit Verification key: A, B 1,, B l, G Z q n m Signing key: T A Z q m m Sign message x bit-by-bit: AR 1 + x 1 G = B 1 AR 2 + x 2 G = B 2 AR l + x l G = B l σ x = R 1,, R l Verification consists of checking that R 1,, R l satisfy these relations

35 Constructing Homomorphic Signatures [GVW15] x x 1 x 2 x l Message space: will sign message bit-by-bit Verification key: A, B 1,, B l, G Z q n m Signing key: T A Z q m m Sign message x bit-by-bit: AR 1 + x 1 G = B 1 AR 2 + x 2 G = B 2 AR l + x l G = B l Function of f, R 1,, R l and x 1,, x l GSW homomorphic operations Function of f, B1,, Bl AR f + f(x) G = B f Additional techniques needed for context-hiding

36 Homomorphic Signatures to Preprocessing NIZKs (also publishes vk) k σ k k P π = Prove(k P, x, w) Designated-prover NIZK from context-hiding homomorphic signatures Verify(vk, x, π)

37 Implementing the Preprocessing Phase k σk π = Prove(k P, x, w) (also publishes vk) Can use generic MPC protocols, but can do this more efficiently using a specialized protocol Verify(vk, x, π) k sk Prover chooses encryption key Goal: prover obtains signature on k without revealing k to verifier Verifier chooses signing key

38 Implementing the Preprocessing Phase Desired notion is a blind homomorphic signature k sk Prover chooses encryption key Goal: prover obtains signature on k without revealing k to verifier Verifier chooses signing key

39 Blind Homomorphic Signatures Recall that signature on the encryption key k consists of k signatures on the bits of k Prover can use oblivious transfer (OT) to obtain signatures on each bit of k Some additional work needed for malicious security [See paper for details] signatures on bits of k k Prover chooses encryption key OT for signatures on bits of k Goal: prover obtains signature on k without revealing k to verifier sk Verifier chooses signing key

40 Blind Homomorphic Signatures Recall that signature on the encryption key k consists of Takeaway: k signatures Preprocessing on the bits of k can be implemented Prover can then using OT for the poly signatures λ parallel on each OT bit of k Some additional work needed for malicious security invocations [See paper for details] signatures on bits of k k Prover chooses encryption key OT for signatures on bits of k Goal: prover obtains signature on k without revealing k to verifier sk Verifier chooses signing key

41 Proof Size and Amortization k σ k Recall: proof consists of an encryption of the witness and a signature w k C x,ct (k) σcx,ct,1 ct = w + poly(λ) σ = poly λ, d C, where d C is the depth of C x,ct Length of NIZK is typically proportional to the size of the NP relation (rather than the depth), and moreover, the overhead is multiplicative in λ (rather than additive)

42 Proof Size and Amortization k σ k Observation: If same witness used for multiple proofs, ciphertext only needs to be included once w k C x,ct (k) σcx,ct,1 Suppose same witness w used to prove statements x 1,, x n (with respect to C 1,, C n ): π i = w + poly(λ, d i ) i [n] i [n] Depth of C 1,, C n

43 A Succinct GMW Compiler Classic GMW compiler (semi-honest to malicious compiler): 1. Each party broadcasts commitment to their local input and randomness 2. Parties run a coin-flipping protocol to determine parties randomness used for computation 3. Parties run semi-honest MPC protocol and attach a NIZK proof that each message is consistent with committed values and randomness MPC: multiple parties seek to compute a joint function of their private inputs Key observation: NIZK proofs share common witness (the committed inputs and randomness)

44 A Succinct GMW Compiler Classic GMW compiler (semi-honest to malicious compiler): 1. Each party broadcasts commitment to their local input Communication overhead is and randomness 2. Parties run a coin-flipping n x + poly protocol n, λ, to ddetermine where parties x randomness is length of used parties for computation input and d is depth 3. Parties (rather run semi-honest than size) MPC of the protocol computation and attach a NIZK proof that each message is consistent with committed values and randomness MPC: multiple parties seek to compute a joint function of their private inputs Key observation: NIZK proofs share common witness (the committed inputs and randomness)

45 Summary Can we realize multi-theorem NIZKs in the preprocessing model from standard lattice assumptions? New multi-theorem designated-prover (public-verifier) NIZKs from homomorphic signatures (based on LWE) New notion of blind homomorphic signatures (formalized in the UC model) for efficient implementation of preprocessing (from OT) New UC-secure NIZK in the preprocessing model from lattices Succinct MPC protocol and succinct GMW compiler [See paper for details]

46 Open Problems NIZKs from lattices in the CRS model Publishing prover state in our preprocessing NIZK compromises zero-knowledge (reveals secret key prover uses to encrypt witnesses) Multi-theorem preprocessing NIZKs from discrete log assumptions (e.g., CDH, DDH) Weaker primitive of homomorphic MAC suffices (will also require secret key to verify proofs) Thank you!

Application to More Efficient Obfuscation

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation (io)