Efficient Non-Interactive Zero Knowledge Argumentsfor Set OperationsPrastudy Fauzi, Helger Lipmaa, Bingsheng ZhangUniversity of Tartu, University of Tartu, University of Athens,
Motivation: Secure Computation
E(x1),…,E(xn)E(f(x1,…,xn))Ok if (x1,…,xn)S
Add NIZK p
roof
pk
Motivation: Secure Computation (2)
E(S)E(f(S))E(T)
E(g(T))Ok if ST
Add NIZK p
roof
pk
Proofs for Set Operations› Encrypted inputs satisfy certain set relations =>
security against malicious adversaries
› Or even multiset relations
– …⊎ ¿
¿∪
Non-Interactive Zero-Knowledge Proofs
E(x1),…,E(xn)Proof of Correctness
Complete Sound Zero-KnowledgeProof can be constructed
without knowing inputs
Contradiction?
pk
Common Reference String Model
E(x1),…
,E(xn)
Proof of Correctness
pk,skcrs
td
Our results› NIZK proof for one
particular multiset operation– (PMSET)
› Applications to other (multi)set operations
› Non-interactive– No random oracle
› Efficient
¿
CRS length Proof length
Prover comp.
Verifier comp.
Θ(|S|) Θ(1) Θ(|S|) Θ(1)
Cryptographic Building Block: Pairings› Bilinear operation
– e(f1+f2,f3) = e(f1,f3) + e(f2,f3)– e(f1,f2+f3) = e(f1,f2) + e(f1,f3)
› With Hardness Assumptions– Given e(f1,f2), it is hard to compute f1– …
› Much wow
Commitments
We use a concrete succinct commitment scheme from 2013
Multiset Commitment
Too costly!
Multiset Commitment
• S => • polynomial that has S as null-set• Including multiplicities
• => • is secret key
Main Idea
¿
¿iff
• Commitments are randomized• Proof = a crib E that compensates for randomness• Enables to perform verification on commitments
Additional Obstacles› Soundness:
– We use knowledge assumptions› Guarantee that prover knows committed values
– Common in succinct NIZK construction– [Gentry Wichs 2011]: also necessary
› Zero Knowledge:– Simulator needs to create proof for given commitments
› Not created by simulator– We let prover to create new random commitments for all sets
› Add a NIZK proof of correctness– Simulator creates fake commitments
› Uses trapdoor to simulate
Applications› Mostly use very simple set arithmetic› Is-a-Sub(multi)set:
– iff exists C such that › Is-a-Set:
– Multiset A is a set if for universal set U– In many applications, U is small
› Set-Intersection-And-Union:– and iff , , and A, B, and D are sets
› See paper for more…