WO2008022158A2 - System for non-interactive zero-knowledge proofs - Google Patents

System for non-interactive zero-knowledge proofs Download PDF

Info

Publication number
WO2008022158A2
WO2008022158A2 PCT/US2007/075940 US2007075940W WO2008022158A2 WO 2008022158 A2 WO2008022158 A2 WO 2008022158A2 US 2007075940 W US2007075940 W US 2007075940W WO 2008022158 A2 WO2008022158 A2 WO 2008022158A2
Authority
WO
WIPO (PCT)
Prior art keywords
group
proof
values
value
message
Prior art date
Application number
PCT/US2007/075940
Other languages
French (fr)
Other versions
WO2008022158A3 (en
Inventor
Jens Groth
Rafail Ostrovsky
Amit Sahai
Brent Waters
Original Assignee
The Regents Of The University Of California
Sri International
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by The Regents Of The University Of California, Sri International filed Critical The Regents Of The University Of California
Publication of WO2008022158A2 publication Critical patent/WO2008022158A2/en
Publication of WO2008022158A3 publication Critical patent/WO2008022158A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption

Definitions

  • the technical field generally relates to cryptographic systems and specifically relates to non-interactive zero-knowledge proofs.
  • Non-interactive zero-knowledge (NIZK) proofs allow a prover to create a proof of membership of an NP language. The proof can be used to convince another that a statement in question belongs to the language, but the zero-knowledge property ensures that the proof will reveal nothing but the truth of the statement.
  • NIZK proofs are fundamental cryptographic primitives used in many constructions, including CCA2-secure cryptosystems, digital signatures, and various cryptographic protocols.
  • Some embodiments disclosed herein are new techniques for constructing NIZK proofs based on groups with a bilinear map. In comparison with previous constructions of NIZK proofs, the techniques disclosed herein yield significant reductions in the length of the common reference string and the size of the proofs. The techniques disclosed herein allow us to answer long standing open questions in the theory of non-interactive zero-knowledge. We construct a perfect NIZK argument system for all NP languages.
  • NIZK proofs We disclose herein a set of completely different techniques to construct NIZK proofs. We describe special types of commitment schemes, where it is possible to prove that a commitment contains 0 or 1.
  • these proof commitments can be constructed from specific number theoretic assumptions related to groups equipped with a bilinear map.
  • the size of the common reference sting (CRS) used to generate the NIZK proof using the techniques described herein is proportionate to k, and the size of the NIZK proof generated is proportionate to the product of the circuit size ICI and k.
  • Figure 1 is a flow diagram of an example method for generating a common reference string
  • Figure 2 is a flow diagram of an example method for generating a non- interactive zero-knowledge proof that a message encrypts a 0 or a 1;
  • Figure 3 is a flow diagram of an example method for verifying a non-interactive zero-knowledge proof such as described in Figure 2;
  • Figure 4 is a flow diagram of an example method for generating a common reference string using a perfectly binding key
  • Figure 5 is a flow diagram of an example method for generating a common reference string using a perfectly hiding key
  • Figure 6 is a flow diagram of an example method for generating a non- interactive zero-knowledge proof that a message encrypts a 0 or a 1;
  • Figure 7 is a flow diagram of an example method for verifying a non-interactive zero-knowledge proof such as described in Figure 6;
  • Figure 8 is a flow diagram of an example method for generating a common reference string using a perfectly binding key and a group of prime order
  • Figure 9 is a flow diagram of an example method for generating a common reference string using a perfectly hiding key and a group of prime order
  • Figure 10 is a flow diagram of an example method for generating a non- interactive zero-knowledge proof that a message encrypts a 0 or a 1;
  • Figure 11 is a flow diagram of an example method for verifying a non- interactive zero-knowledge proof such as described in Figure 10;
  • Figure 12 is a flow diagram of an example method for generating a non- interactive zero-knowledge proof of circuit satisfiability.
  • Figure 13 is a flow diagram of an example method for verifying a non- interactive zero-knowledge proof of circuit satisfiability.
  • R be an efficiently computable binary relation.
  • x the statement and w the witness.
  • L the language consisting of statements in R.
  • a non- interactive proof system for a relation R consists of a common reference string generation algorithm K, a prover P and a verifier V.
  • K, P, and V will all be probabilistic polynomial time algorithms.
  • the common reference string generation algorithm K produces a common reference string ⁇ of length ⁇ ,(k).
  • the prover P takes as input ( ⁇ , x, w) and produces a proof ⁇ .
  • the verifier V takes as input ( ⁇ , x, ⁇ ) and outputs 1 if the proof is acceptable and 0 if rejecting the proof.
  • a non-interactive commitment scheme with some special properties.
  • the teachings herein may be also be applied to an encryption scheme and the properties of commitment schemes described herein may be extended to encryption schemes.
  • a non-interactive commitment scheme there is a key generator, which generates a public commitment key ck.
  • the commitment key ck defines a message space M ck , a randomizer space R ck and a commitment space C ck .
  • the key generation algorithm is probabilistic polynomial time and outputs keys of length ⁇ (n).In the following discussions, it will in general be obvious which key we are using, so we will sometimes omit it in our notation.
  • the commitment scheme must be binding and hiding. Binding means that it is infeasible to find two openings with different messages of the same commitment. Hiding means that given a commitment it is infeasible to guess which message is inside the commitment.
  • Some embodiments have a commitment scheme that has two different flavors of keys.
  • the commitment key can be perfectly binding, in which case a valid commitment uniquely defines one possible message.
  • the commitment key can be perfectly hiding, in which case the commitment reveals no information whatsoever about the message. In fact, we can create perfect hiding keys together with some trapdoor information such that we can open a commitment to any message. We require that these two kinds of keys are computationally indistinguishable.
  • commitments where the message space (M, +,0), the randomizer space (R, +,0) and the commitment space (C, ⁇ , 1) are finite abelian groups.
  • a commitment scheme is a method that allows a user to commit to a value without revealing the value and preserving the user's ability to reveal the committed value at a later time. For example, a ciphertext value encrypting the value is sent by the user to a receiver, committing the user to the value encrypted but hiding the value from the receiver.
  • a proof scheme is a method that allows the user to provide information that will convince a receiver that a ciphertext encrypts a valid value without revealing any information about the encrypted value. Methods and systems for implementing commitment and proof schemes are described below.
  • Boneh, Goh and Nissim have suggested a cryptosystem with homomorphic properties useful for bit commitment and proof schemes. Their system is described in Dan Boneh, Eu- Jin Goh, and Kobbi Nissim, Evaluating 2 -dnf formulas on ciphertexts in the proceedings of TCC '05, LNCS series, volume 3378, pp. 325-341, 2005.
  • the BGN-cryptosystem is an important tool for the systems and methods disclosed below and makes use of bilinear groups as follows.
  • a random generator g of G is selected, and a random generator h of G q , the subgroup of G of order q.
  • the public key is (n, G, Gi, e, g, h).
  • the decryption key is p and q.
  • Figure 1 describes the generation of a common reference string that will be made known to all parties.
  • Large primes p and q are selected 101, preferably by a random process.
  • n pq.
  • Descriptions of cyclic groups G and Gi of order n are generated 102.
  • Random generators g of G and h of G q are selected 103 and a bilinear map e: G X G — > Gi is identified 104.
  • the common reference string ⁇ (n, G, Gi, e, g, h) is generated 105 and is made known to all parties.
  • the generation of this common reference string ⁇ may be accomplished by a random key generation algorithm such as known in the art and described above in connection with the BGN cryptosystem. [Can we say more about this algorithm?]
  • Figure 2 describes the generation of a proof ⁇ that a message m encrypts a 0 or a 1.
  • a message m e ⁇ 0,1 ⁇ and an integer witness w are received 201.
  • a ciphertext of the message, c g m h w , is computed 202.
  • a value r is randomly selected from Z * , the units of Z n (i.e., the elements of X n that are not divisible by p or q) 203.
  • Figure 3 describes the verification process.
  • a verifier receives 301 the common reference string ⁇ , such as generated in the process described in Figure 1, a ciphertext ce G, and a proof string ⁇ e G x G x G.
  • Gq be the subgroup of G of order q.
  • the subgroup decision problem is to distinguish elements of G from elements of Gq.
  • a key is "perfectly binding" if a prover cannot generate a false proof using the key, even if given infinite computing resources. It may be the case that a verifier may be able to decrypt the witness if given sufficiently large computing resources.
  • Figure 4 describes the generation of a common reference string using a perfectly binding key.
  • Large primes p and q are selected 401, preferably by a random process.
  • n pq.
  • Descriptions of cyclic groups G and G T of order n are generated 402.
  • a random generator g of G is selected 403.
  • a bilinear map e: G X G — > Gi is identified 405.
  • the common reference string ⁇ (n, G, G T , e, g, K) is generated 406 and is made known to all parties.
  • Figure 5 describes the generation of a common reference string using a perfectly hiding key.
  • Large primes p and q are selected 501, preferably by a random process.
  • n pq.
  • Descriptions of cyclic groups G and G T of order n are generated 502.
  • a random generator g of G is selected 503.
  • a bilinear map e: G x G — > G T is identified 505.
  • the common reference string ⁇ (n, G, G T , e, g, K) is generated 506 and is made known to all parties.
  • Figure 6 describes the reception of a message m and the generation of a proof ⁇ that m G ⁇ 0,1 ⁇ .
  • a message m G ⁇ 0,1 ⁇ and a random integer r e Z n are received 601.
  • a ciphertext of the message, c g m K, is computed 602.
  • the proof ⁇ ( g 2m ⁇ K f is computed 603.
  • the value ⁇ provides a zero-knowledge proof that c encrypts a 0 or a 1.
  • Figure 7 describes the verification process.
  • a verifier receives 701 the common reference string ⁇ , such as generated in the process described in Figure 4 or 5, a ciphertext ce G, and a proof value ⁇ e G.
  • G DLIN be a randomized algorithm that outputs (p, G, G T , e, g) such that p is prim, G and G T are descriptions of groups of order p, e i G x G ⁇ G ⁇ is a bilinear map and g is a random generator for G.
  • Figure 8 describes the generation of a common reference string using a perfectly binding key.
  • Large prime p is selected 801, preferably by a random process.
  • Descriptions of cyclic groups G and G T of order p are generated and a bilinear map e: G X G — > Gi is identified 802.
  • the common reference string ⁇ (p, G, G T , e, g, / h, u, v, w) is generated 805 and is made known to all parties.
  • Figure 9 describes the generation of a common reference string using a perfectly hiding key.
  • Large prime p is selected 901, preferably by a random process.
  • Descriptions of cyclic groups G and G T of order p are generated and a bilinear map e ⁇ G X G — > Gi is identified 902.
  • the common reference string ⁇ (p, G, G T , e, g, / h, u, v, w) is generated 905 and is made known to all parties.
  • Figure 10 describes the selection of a message m and the generation of a proof ⁇ that a ciphertext encrypts m e ⁇ 0,1 ⁇ .
  • a message m e ⁇ 0,1 ⁇ and random integers r, s e X p are selected 1001.
  • a proof ⁇ ( ⁇ l ls ⁇ 12 , ⁇ 13 , ⁇ 21 , ⁇ 22 , ⁇ 23 ) is determined 1003 by selecting a arbitrary value t e X p and computing:
  • Figure 11 describes the verification process for the proof generated by the process of Figure 10.
  • a verifier receives 1101 the common reference string ⁇ , such as generated in the process described in Figure 8 or 9, a ciphertext ce G x G x G and a proof value ⁇ as described above in connection with Figure 10.
  • the common reference string
  • the bilinear map e from the common reference string is used to check 1103 whether the following six conditions all hold:
  • C-SAT NIZK proof for Circuit Satisfiability
  • the common reference string is a perfectly binding string such as described above.
  • C(w) 1 when this is the case.
  • FIG. 12 describes an embodiment of a NIZK proof of circuit satisfiability.
  • w COm(W 1 , r t )
  • W 1 using random element r r and a method such as described above 1202.
  • Figure 13 describes an embodiment of a process for verifying a NIZK proof of circuit satisfiability such as described in Figure 12.
  • the computer will generally include a processor, a storage medium readable by the processor (including volatile and non- volatile memory and/or storage elements), at least one input device and at least one output device.
  • One or more programs are preferably implemented in a high level procedural or object oriented programming language to communicate with a computer system. However, the program(s) can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language, and combined with hardware implementations .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Traffic Control Systems (AREA)
  • Storage Device Security (AREA)

Abstract

Systems and methods for generating non-interactive zero-knowledge (NIZK) proofs. A homomorphic commitment scheme provides a NIZK proof that a commitment contains 0 or 1. A NIZK proof that a triple of wire assignments satisfies a NAND-gate is generated relying on the homomorphic property of the commitment scheme. A NIZK proof of circuit satisfiability is provided that uses NIZK proofs of NAND-gate satisfiability and the homomorphic commitment scheme.

Description

SYSTEM FOR NON-INTERACTIVE ZERO-KNOWLEDGE PROOFS
CROSS REFERENCE TO RELATED APPLICATIONS
[0001] This application claims priority under 35 U.S.C. § 119(e) from U.S. Provisional Patent Application No. 60/822,365, entitled "SYSTEM FOR NON-INTERACTIVE ZERO- KNOWLEDGE PROOFS" filed on 08/14/2006, which is incorporated herein by reference in its entirety.
FIELD
[0002] The technical field generally relates to cryptographic systems and specifically relates to non-interactive zero-knowledge proofs.
BACKGROUND
[0003] Non-interactive zero-knowledge (NIZK) proofs allow a prover to create a proof of membership of an NP language. The proof can be used to convince another that a statement in question belongs to the language, but the zero-knowledge property ensures that the proof will reveal nothing but the truth of the statement. NIZK proofs are fundamental cryptographic primitives used in many constructions, including CCA2-secure cryptosystems, digital signatures, and various cryptographic protocols. Some embodiments disclosed herein are new techniques for constructing NIZK proofs based on groups with a bilinear map. In comparison with previous constructions of NIZK proofs, the techniques disclosed herein yield significant reductions in the length of the common reference string and the size of the proofs. The techniques disclosed herein allow us to answer long standing open questions in the theory of non-interactive zero-knowledge. We construct a perfect NIZK argument system for all NP languages.
[0004] Blum, Feldman, and Micali, in Non-interactive zero-knowledge and its applications in the proceedings of STOC '88, pp. 103-112, 1988, introduced the notion of NIZK in the common random string model and showed how to construct computational NIZK proof systems for proving a single statement about any NP language. The fist computational NIZK proof system for multiple theorems was constructed by Blurn, De Santis, Micali, and Persiano in N oninter active zeroknowledge in SIAM Journal of Computation, 20(6), pp.1084-1118, 1991. Both papers based their NIZK systems on certain number-theoretic assumptions (specifically, the hardness of deciding quadratic residues modulo a composite number). Feige, Lapidot, and Shamir in Multiple non-interactive zero knowledge proofs under general assumptions in SIAM Journal of Computing, 29(1), pp. 1-28, 1999, showed how to construct computational NIZK proofs based on any trapdoor permutation. Much research has been devoted to the construction of efficient NIZK proofs, but until now the only known method to do so has been the hidden random bits method. By this we mean a method wherein the prover has a string of random bits, which are secret to the verifier. By revealing a subset of these bits, and keeping the rest secret, the prover can convince the verifier of the truth of the statement in question. Improvements in the efficiency of NIZK proofs have come in the form of various ways to set up a hidden random bits model and how to use it optimally.
SUMMARY
[0005] We disclose herein a set of completely different techniques to construct NIZK proofs. We describe special types of commitment schemes, where it is possible to prove that a commitment contains 0 or 1. The commitment schemes can be used to generate a NIZK proof that three elements bo, b\, b2 e {0,1 } represent valid inputs bo, b\ and output b2 for a NAND-gate, i.e., that b2 = -i(bo A b\). This yields very simple and efficient NIZK proof systems. We show that these proof commitments can be constructed from specific number theoretic assumptions related to groups equipped with a bilinear map. For comparison of the techniques described herein with the most efficient previous techniques for generating NIZK proofs of the satisfiability of a circuit C, please see Table 1. A security parameter k represents the length of the order of a group used to generate a NIZK proof, i.e., k = TlOg2 IGl], where G is a group used to generate the NIZK proof. Importantly, the size of the common reference sting (CRS) used to generate the NIZK proof using the techniques described herein is proportionate to k, and the size of the NIZK proof generated is proportionate to the product of the circuit size ICI and k. Thus, the techniques disclosed herein are significantly more efficient that previously known techniques.
Figure imgf000005_0001
Table 1 References:
[Dam92] Ivan Damgard, Non-interactive circuit based proofs and non-interactive perfect zero- knowledge with preprocessing. Proceedings of EUROCRYPT '92, LNCS series, volume 658, pp. 341- 355, 1992.
[KP98] Joe Kilian and Erez Petrank, An efficient noninter active zero-knowledge proof system for np with general assumptions, Journal of Cryptology, 11(1), pp.1-27, 1998. [DDP99] Alfredo De Santis, Giovanni Di Crescenzo, and Giuseppe Persiano, Non-interactive zeroknowledge: A low -randomness characterization ofnp, Proceedings of ICALP '99, LNCS series, v. 1644, pp. 271-280, 1999.
[DDPOS] Alfredo De Santis, Giovanni Di Crescenzo, and Giuseppe Persiano. Randomness- optimal characterization of two np proof systems, Proceedings of RANDOM '02, LNCS series, v. 2483, pp. 179-193, 2002. BRIEF DESCRIPTION OF THE DRAWINGS
[0006] The foregoing summary, as well as the following detailed description, is better understood when read in conjunction with the appended drawings. For the purpose of illustrating non-interactive zero knowledge proofs, there is shown in the drawings exemplary constructions thereof; however, the generation and application of non-interactive zero- knowledge proofs is not limited to the specific methods and instrumentalities disclosed.
[0007] Figure 1 is a flow diagram of an example method for generating a common reference string;
[0008] Figure 2 is a flow diagram of an example method for generating a non- interactive zero-knowledge proof that a message encrypts a 0 or a 1;
[0009] Figure 3 is a flow diagram of an example method for verifying a non-interactive zero-knowledge proof such as described in Figure 2;
[0010] Figure 4 is a flow diagram of an example method for generating a common reference string using a perfectly binding key;
[0011] Figure 5 is a flow diagram of an example method for generating a common reference string using a perfectly hiding key;
[0012] Figure 6 is a flow diagram of an example method for generating a non- interactive zero-knowledge proof that a message encrypts a 0 or a 1;
[0013] Figure 7 is a flow diagram of an example method for verifying a non-interactive zero-knowledge proof such as described in Figure 6;
[0014] Figure 8 is a flow diagram of an example method for generating a common reference string using a perfectly binding key and a group of prime order;
[0015] Figure 9 is a flow diagram of an example method for generating a common reference string using a perfectly hiding key and a group of prime order;
[0016] Figure 10 is a flow diagram of an example method for generating a non- interactive zero-knowledge proof that a message encrypts a 0 or a 1;
[0017] Figure 11 is a flow diagram of an example method for verifying a non- interactive zero-knowledge proof such as described in Figure 10;
[0018] Figure 12 is a flow diagram of an example method for generating a non- interactive zero-knowledge proof of circuit satisfiability; and
[0019] Figure 13 is a flow diagram of an example method for verifying a non- interactive zero-knowledge proof of circuit satisfiability. DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS
[0020] The inventive subject matter is described with specificity to meet statutory requirements. However, the description itself is not intended to limit the scope of this patent. Rather, the inventor has contemplated that the claimed subject matter might also be embodied in other ways, to comprise different steps or combinations of steps similar to the ones described in this document, in conjunction with other present or future technologies. Moreover, although the term "step" may be used herein to connote different elements of methods employed, the term should not be interpreted as implying any particular order among or between various steps herein disclosed unless and except when the order of individual steps is explicitly described.
[0021] Let R be an efficiently computable binary relation. For pairs (x,w) e R we call x the statement and w the witness. Let L be the language consisting of statements in R. A non- interactive proof system for a relation R consists of a common reference string generation algorithm K, a prover P and a verifier V. Typically, K, P, and V will all be probabilistic polynomial time algorithms. The common reference string generation algorithm K produces a common reference string σ of length Ω,(k). The prover P takes as input (σ, x, w) and produces a proof π. The verifier V takes as input (σ, x, π) and outputs 1 if the proof is acceptable and 0 if rejecting the proof.
Homomorphic Proof Commitments / Encryptions
[0022] We disclose herein a non-interactive commitment scheme with some special properties. The teachings herein may be also be applied to an encryption scheme and the properties of commitment schemes described herein may be extended to encryption schemes. In a non-interactive commitment scheme there is a key generator, which generates a public commitment key ck. The commitment key ck defines a message space Mck, a randomizer space Rck and a commitment space Cck. The key generation algorithm is probabilistic polynomial time and outputs keys of length θ(n).In the following discussions, it will in general be obvious which key we are using, so we will sometimes omit it in our notation. There is an efficient commitment algorithm com that takes as input the commitment key, a message and a randomizer and outputs a commitment, c =com(m; r). We call (m, r) an opening of c.
[0023] The commitment scheme must be binding and hiding. Binding means that it is infeasible to find two openings with different messages of the same commitment. Hiding means that given a commitment it is infeasible to guess which message is inside the commitment. Some embodiments have a commitment scheme that has two different flavors of keys. The commitment key can be perfectly binding, in which case a valid commitment uniquely defines one possible message. Alternatively, the commitment key can be perfectly hiding, in which case the commitment reveals no information whatsoever about the message. In fact, we can create perfect hiding keys together with some trapdoor information such that we can open a commitment to any message. We require that these two kinds of keys are computationally indistinguishable.
[0024] We will consider commitments, where the message space (M, +,0), the randomizer space (R, +,0) and the commitment space (C, ■, 1) are finite abelian groups. The commitment scheme should be homomorphic, i.e., for all messages and randomizers we have com(mi + m2; T1 + r2) = com(mi; r\) com(m2; r2).
[0025] We will require that the message space has a generator 1, and also that it has order at least 3. The property that sets proof commitments apart from other commitments, is that there is a way to prove that a commitment contains 0 or 1. More precisely, if the key is of the perfect binding type, then it is possible to prove that there exists an opening (m, r) e {0,1} x R. On the other hand, if it is a perfect hiding key, then the proof will be perfectly witness- indistinguishable, i.e., it is impossible to tell whether the message is 0 or 1.
[0026] A commitment scheme is a method that allows a user to commit to a value without revealing the value and preserving the user's ability to reveal the committed value at a later time. For example, a ciphertext value encrypting the value is sent by the user to a receiver, committing the user to the value encrypted but hiding the value from the receiver. A proof scheme is a method that allows the user to provide information that will convince a receiver that a ciphertext encrypts a valid value without revealing any information about the encrypted value. Methods and systems for implementing commitment and proof schemes are described below.
The Boneh-Goh-Nissim (BGN) Cryptosystem
[0027] Boneh, Goh and Nissim have suggested a cryptosystem with homomorphic properties useful for bit commitment and proof schemes. Their system is described in Dan Boneh, Eu- Jin Goh, and Kobbi Nissim, Evaluating 2 -dnf formulas on ciphertexts in the proceedings of TCC '05, LNCS series, volume 3378, pp. 325-341, 2005. The BGN-cryptosystem is an important tool for the systems and methods disclosed below and makes use of bilinear groups as follows. The system uses two cyclic groups G, and Gi, of composite order n, where n = pq and p,q are primes, and a bilinear map e '. G X G — > Gi. Thus, for all u,v e G and α, b e Z (where Z is the integers), we have e(uα, vb) = e(u, v) αb. It is required the bilinear map e have the property that e(g, g) is a generator of Gj if g is a generator of G. It is also required that group operations, group membership, the sampling of a random generator for G and the bilinear map be efficiently computable. The following example was suggested in "Evaluating 2 -dnf formulas on ciphertexts." Pick large primes p, q and let n = pq. Find the smallest / so P = In - 1 is prime and congruent to 2 modulo 3. Consider the points on the elliptic curve y2 = x + 1 over Fp, the Galois field withp elements. This curve has P + 1 = In points, so it necessarily has a subgroup G of order n. Let Gi be the order n subgroup of F * 2 and e '. G X G — > Gi be the modified Weil- pairing. This example is provided for illustrative purposes only and is not intended to be limiting. As may be appreciated, any two cyclic groups of suitable orders admitting a bilinear map may be used.
[0028] A public key may be generated by first running an algorithm, such as known in the art, that takes a security parameter as an input and outputs (p, q, G, Gi, e) such thatp and q are primes, G and Gi are descriptions of groups of order n = pq, and e: G X G — > Gi is a bilinear map. A random generator g of G is selected, and a random generator h of Gq, the subgroup of G of order q. The public key is (n, G, Gi, e, g, h). The decryption key is p and q.
[0029] To encrypt a message m using randomness r e Z * , compute the ciphertext c = gmK . To decrypt, compute cq = gmqhrq= (gq)m and exhaustively search for m using knowledge of g and q. Note that hrq = (hq)r = 1 since h has order q.
NIZK Proofs that a Ciphertext Encrypts a 0 or 1 Using the BGN Cryptosystem
[0030] We describe below an embodiment of the construction of a non-interactive zero- knowledge proof that a ciphertext encrypted with the BGN cryptosystem encrypts a message that is either 0 or 1. A common reference string is generated such as described below and in Figure 1, for example. A message is encrypted using the BGN cryptosystem, and a proof is generated as described below and in Figure 2. The proof may be used to convince a verifier that the ciphertext encrypts a 0 or a 1 without revealing to the verifier which, as described below and in Figure 3. Note that if the message m is 1, then the ciphertext is c = ghr and so cgΛ = K is a member of Gq the subgroup of G of order q. If m is 0, then the ciphertext is c = hr which is a member of Gq.
[0031] Figure 1 describes the generation of a common reference string that will be made known to all parties. Large primes p and q are selected 101, preferably by a random process. Let n = pq. Descriptions of cyclic groups G and Gi of order n are generated 102. Random generators g of G and h of Gq, the subgroup of G of order q are selected 103 and a bilinear map e: G X G — > Gi is identified 104. The common reference string σ = (n, G, Gi, e, g, h) is generated 105 and is made known to all parties. The generation of this common reference string σ may be accomplished by a random key generation algorithm such as known in the art and described above in connection with the BGN cryptosystem. [Can we say more about this algorithm?]
[0032] Figure 2 describes the generation of a proof π that a message m encrypts a 0 or a 1. A message m e {0,1 } and an integer witness w are received 201. A ciphertext of the message, c = gmhw, is computed 202. A value r is randomly selected from Z* , the units of Zn (i.e., the elements of Xn that are not divisible by p or q) 203. The proof string π = (πl5π23) is computed 204 where: πλ = hr
π3 = gr The string π provides a zero-knowledge proof that c encrypts "0" or "1".
[0033] Figure 3 describes the verification process. A verifier receives 301 the common reference string σ, such as generated in the process described in Figure 1, a ciphertext ce G, and a proof string π e G x G x G. The bilinear map e from the common reference string is used to check 302 whether e(c, cg~l) = e(%ι, π2). If not, the verification process is terminated and a failure indication is returned 303. If the check succeeds, the process then checks 304 whether e{K\, g) = e(h, π3). If the second check fails, the verification process is terminated and a failure indication is returned 305. If the second check succeeds, a success indication is returned 306 and the verifier is convinced that the ciphertext encrypts either a 0 or a 1. Note that if the message m is 1, then the ciphertext is c = ghr and so eg 1 = K is a member of Gq the subgroup of order q. If m is 0, then the ciphertext is c = K which is a member of Gq.
NIZK Proofs that a Ciphertext Encrypts a 0 or 1 Based on the Subgroup Decision Problem
[0034] We describe embodiments of proof schemes based on the subgroup decision problem. Let GBGN be a randomized algorithm that outputs (p, q, G, GT, e, g) such thatp < q are primes and n =pq is a fc-bit number, G and Gj are descriptions of groups of order n, e : G x G — > GT is a bilinear map and g is a random generator for G. Let Gq be the subgroup of G of order q. The subgroup decision problem is to distinguish elements of G from elements of Gq. [0035] We say that a key is "perfectly binding" if a prover cannot generate a false proof using the key, even if given infinite computing resources. It may be the case that a verifier may be able to decrypt the witness if given sufficiently large computing resources.
[0036] We say that a key is "perfectly hiding" if a verifier cannot decrypt the witness even if given infinite computing power. It may be the case that the prover could prove a false proof using the key, but generating such a false proof may require substantial computing resources.
[0037] Figure 4 describes the generation of a common reference string using a perfectly binding key. Large primes p and q are selected 401, preferably by a random process. Let n = pq. Descriptions of cyclic groups G and GT of order n are generated 402. A random generator g of G is selected 403. A random generator h of Gq, the subgroup of G of order q, is determined 404 by randomly selecting a value x in Z? (i.e., x is not divisible by q) and defining h = $fx . A bilinear map e: G X G — > Gi is identified 405. The common reference string σ = (n, G, GT, e, g, K) is generated 406 and is made known to all parties.
[0038] Figure 5 describes the generation of a common reference string using a perfectly hiding key. Large primes p and q are selected 501, preferably by a random process. Let n = pq. Descriptions of cyclic groups G and GT of order n are generated 502. A random generator g of G is selected 503. A second random generator h of G is determined 504 by randomly selecting a value x in Zn * (i.e., x is not divisible by p or q) and defining h = gx. A bilinear map e: G x G — > GT is identified 505. The common reference string σ = (n, G, GT, e, g, K) is generated 506 and is made known to all parties.
[0039] Figure 6 describes the reception of a message m and the generation of a proof π that m G {0,1 }. A message m G {0,1 } and a random integer r e Zn are received 601. A ciphertext of the message, c = gm K, is computed 602. The proof π = ( g2mΛ K f is computed 603. The value π provides a zero-knowledge proof that c encrypts a 0 or a 1.
[0040] Figure 7 describes the verification process. A verifier receives 701 the common reference string σ, such as generated in the process described in Figure 4 or 5, a ciphertext ce G, and a proof value π e G. The bilinear map e from the common reference string is used to check 702 whether e(c, cg~l) = e(h, π). If not, the verification process is terminated and a failure indication is returned 703. If the check succeeds, a success indication is returned 704 and the verifier is convinced that the ciphertext encrypts either "0" or "1". NIZK Proofs that a Ciphertext Encrypts a 0 or 1 Using Groups of Prime Order
[0041] We describe embodiments of proof schemes based on the decisional linear assumption. The decisional linear assumption introduced by Boneh, Boyen and Shacham in "Short group signatures", Proceedings of CRYPTO '04, LNCS series, v. 3152, pp. 41-55, 2004. Let GDLIN be a randomized algorithm that outputs (p, G, GT, e, g) such that p is prim, G and GT are descriptions of groups of order p, e i G x G ^ G^ is a bilinear map and g is a random generator for G.
[0042] Figure 8 describes the generation of a common reference string using a perfectly binding key. Large prime p is selected 801, preferably by a random process. Descriptions of cyclic groups G and GT of order p are generated and a bilinear map e: G X G — > Gi is identified 802. A random generator g of G is selected and random generators /and h oi G are determined by selecting random values x and y in Zp and computing /= gx and h = ^ in step 803. Random elements a and b in Zp and an arbitrary element z in Zp are selected 806 and the triple (u, v, w) = (fa, h h, g a + h + z ) is computed 804. The common reference string σ = (p, G, GT, e, g, / h, u, v, w) is generated 805 and is made known to all parties.
[0043] Figure 9 describes the generation of a common reference string using a perfectly hiding key. Large prime p is selected 901, preferably by a random process. Descriptions of cyclic groups G and GT of order p are generated and a bilinear map e\ G X G — > Gi is identified 902. A random generator g of G is selected and random generators /and h oi G are determined by selecting random values x and y in Zp * and computing /= gx and h = gy in step 903. Random elements a and b in Xp and arbitrary element z in Zp * are selected 906 and the triple (u, v, w) = (fa, h b, g a+h ) is computed 904. The common reference string σ = (p, G, GT, e, g, / h, u, v, w) is generated 905 and is made known to all parties.
[0044] Figure 10 describes the selection of a message m and the generation of a proof π that a ciphertext encrypts m e {0,1 }. Note that the proof technique described here will work with either the perfectly binding key as described above in connection with Figure 8 or the perfectly hiding key as described above in connection with Figure 9. A message m e {0,1 } and random integers r, s e Xp are selected 1001. A ciphertext of the message, c = (C1, C2, C3) = (u mfr, v mh s, w mg r + s ) is computed 1002. A proof π = (πl ls π12, π13, π21, π22, π23) is determined 1003 by selecting a arbitrary value t e Xp and computing:
Figure imgf000012_0001
[0045] Figure 11 describes the verification process for the proof generated by the process of Figure 10. A verifier receives 1101 the common reference string σ, such as generated in the process described in Figure 8 or 9, a ciphertext ce G x G x G and a proof value π as described above in connection with Figure 10. For convenience in the computations that follow, we first compute 1102:
Tt31 = TE11 TE21 7C32 = TC12 TC22 TC33 = 7E13 TC23
The bilinear map e from the common reference string is used to check 1103 whether the following six conditions all hold:
Figure imgf000013_0001
If any of the equalities do not hold, the verification process is terminated and a failure indication is returned 1104. If the checks succeed, a success indication is returned 1105 and the verifier is convinced that the ciphertext encrypts either "0" or "1".
NIZK Proofs for Circuit Satisfiability
[0046] We describe below an embodiment of a NIZK proof for Circuit Satisfiability (C-SAT). We use a public key for a homomorphic proof commitment scheme as the common reference string. In an embodiment, the common reference string is a perfectly binding string such as described above. The prover gets as input a circuit C which, without loss of generality, consists of NAND-gates. He also gets a witness w, consisting of wires W1,. ..,wout such that the wires respect the circuit and the output wire is true, wout= 1 • We write C(w) = 1 when this is the case.
[0047] The prover's strategy is straightforward. He commits to each wire and for each commitment makes a proof that it contains 0 or 1. This way, the verifier is guaranteed that the prover has committed to truth values for each wire. The prover makes a trivial commitment to the output wire, using randomness r = 0, so the verifier can easily check that indeed the output is 1. What remains is to convince the verifier that the committed wires respect the NAND-gates of the circuit. [0048] The following will be useful. Let M be a finite cyclic group with neutral element
0 and generator 1. Let bo, b\, b2 e { 0, 1 } . If the order of the group is at least 4, then b2 = ~"(bo Λ bi) if and only if bo + b\ +2(b2 - 1 ) e {0,1 }. If the order of the group is 3 , then b2 = -i(bo A
Figure imgf000014_0001
if and only if bo +b\ + 2(b2 -1) e {0,1} and bo + b\ + b2 -1 e {0,1 }. In the following, we focus on the case where the message space of the commitment scheme has order at least 4. Given commitments CQ>, C1, C2 containing plaintexts bo, b\, b2 the homomorphic property of the commitment scheme implies that Co C1 C2 2 com(-l;0)2 is a commitment to bo +b\ +2(b2 -1). A proof that this commitment contains 0 or 1 shows that b2 = -ι(bo Λ b\) . The prover may make such a proof for each NAND-gate in the circuit.
[0049] Figure 12 describes an embodiment of a NIZK proof of circuit satisfiability. A prover receives 1201 as input (σ, C, w), comprising a common reference string σ, a circuit C, and a set of wire assignments w = (w\, ..., Wd, wout) for which C(w) = 1. For each i = \, ..., d, generate a commitment C1 = COm(W1, rt) to wire assignment W1 using random element rr and a method such as described above 1202. For the output wire, wout, use randomness rout = 0 and generate the commitment cout = com(l; 0) 1203. For each commitment C1, generate a proof πr of the existence of an opening (W1, rt) so W1 e {0,1 } and C1 = COm(W1, rt) 1204.
[0050] For each NAND-gate, do the following: Suppose the input wires to the NAND- gate are numbered i andj and the output wire k. Using message wt + Wj + 2wt - 2 and randomness rt + r} + 2n, make a proof πυk for C1 c} Ck com(-l;0)2 containing message 0 or 1. Step 1205. A proof π comprising all of the commitments and proofs for the wires and NAND-gates is generated and may be communicated to a computing entity 1205.
[0051] Figure 13 describes an embodiment of a process for verifying a NIZK proof of circuit satisfiability such as described in Figure 12. A verifier receives the common reference string σ, a circuit C, and a proof π 1301. The verifier checks whether all wires have a corresponding commitment and cout = com(l;0) 1302. If not, the verification process is terminated and a failure indication is returned 1303. If the check succeeds, the process then checks 1304 whether all NAND-gates in C with input wires /, j, k have a proof %φ for C1 c} Cu com(-l;0) containing message 0 or 1. If the second check fails, the verification process is terminated and a failure indication is returned 1305. If the second check succeeds, a success indication is returned 1306 and the verifier is convinced that π provides a proof of circuit satisfiability of circuit C.
[0052] The various techniques described herein may be implemented with hardware or software or, where appropriate, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions thereof, may take the form of program code
(i.e., instructions) embodied in tangible media, such as floppy diskettes, CD-ROMs, hard drives, or any other machine-readable storage medium, wherein, when the program code is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention. In the case of program code execution on programmable computers, the computer will generally include a processor, a storage medium readable by the processor (including volatile and non- volatile memory and/or storage elements), at least one input device and at least one output device. One or more programs are preferably implemented in a high level procedural or object oriented programming language to communicate with a computer system. However, the program(s) can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language, and combined with hardware implementations .
[0053] Reference in the specification to "an embodiment," "one embodiment," "some embodiments," or "other embodiments" means that a particular feature, structure, or characteristic described in connection with the embodiments is included in at least some embodiments, but not necessarily all embodiments, of the invention. The various appearances "an embodiment," "one embodiment," or "some embodiments" are not necessarily all referring to the same embodiments.
[0054] If the specification states a component, feature, structure, or characteristic "may", "might", or "could" be included, that particular component, feature, structure, or characteristic is not required to be included. If the specification or claim refers to "a" or "an" element, that does not mean there is only one of the element. If the specification or claims refer to "an additional" element, that does not preclude there being more than one of the additional element.
[0055] While the present disclosure has been described in connection with various embodiments, illustrated in the various figures, it is understood that similar aspects may be used or modifications and additions may be made to the described aspects of the disclosed embodiments for performing the same function of the present disclosure without deviating therefrom. Therefore, the present disclosure should not be limited to any single aspect, but rather construed in breadth and scope in accordance with the appended claims.

Claims

What is Claimed:
1. A method for generating a proof for the satisfiability of a circuit, the method comprising: identifying common reference string containing a predetermined number of elements of a group, said predetermined number being determined independent of the order of the group and independent of the size of a circuit to be proven satisfiable; and generating a proof of satisfiability of the circuit, the size of said proof being proportionate to the product of the size of the circuit and the length of the order of the group.
2. A method for generating a proof, the method comprising: receiving a common reference key comprising a group order, a description of a first group having the group order, a description of a second group having the group order, a description of a bilinear map from the first group to the second group, a first generator of the first group, and a second generator of a proper nontrivial subgroup of the first group; receiving a message from a first computing entity; identifying a ciphertext encrypting the message; determining a proof value comprising a triple of values from the first group, said triple of values generated using a unit from the group of integers modulo the group order, the first generator, the second generator, the message, and the secret integer value; and communicating the proof value to a second computing entity.
3. The method as recited in claim 2, wherein identifying a ciphertext comprises receiving the ciphertext from the first computing entity.
4. The method as recited in claim 2, wherein identifying a ciphertext comprises computing the ciphertext using at least the first generator, the message, the second generator, and a secret integer value.
5. A proof system comprising: a common reference key comprising a group order, a description of a first group having the group order, a description of a second group having the group order, a description of a bilinear map from the first group to the second group, a first generator of the first group, and a second generator of a proper nontrivial subgroup of the first group; a message, said message having been generated by a first computing entity; a ciphertext representing an encryption of the message, said ciphertext having been generated using elements of the common reference key and a secret integer value; a proof value comprising a tuple of values from the first group, said tuple of values generated using a unit from the group of integers modulo the group order, the first generator, the second generator, the message, and the secret integer value; and a communications module for communicating the proof value to a second computing entity.
6. The system of claim 5 wherein the tuple is a triple.
7. The system of claim 5, further comprising: a verifier configured to receive the common reference key, the ciphertext, and the proof value and to verify that predetermined relationships hold when the bilinear map is applied to preselected elements of the common reference key, the ciphertext, and the proof value.
8. A method of verifying a proof, the method comprising: receiving a common reference key comprising a group order, a description of a first group having the group order, a description of a second group having the group order, a description of a bilinear map from the first group to the second group, a first generator of the first group, and a second generator of a proper subgroup of the first group; receiving a ciphertext encrypting a message; receiving a proof value, said proof value comprising a triple of values from the first group; using the bilinear map, the first generator, the second generator, the ciphertext, and the proof value to determine whether the ciphertext encrypts a value from a predetermined set of values; and generating a signal representative of the determination.
9. A method for generating a proof, the method comprising: receiving a common reference key comprising a prime group order p, a description of a first group having the group order, a description of a second group having the group order, a description of a bilinear map from the first group to the second group, three generators of the first group, and a first tuple of values from the first group, wherein the first tuple of values from the first group have a predetermined relationship to the three generators and at least a first and a second value selected from the integers modulo p; receiving a message from a first computing entity; identifying a ciphertext encrypting the message and comprising a second tuple of values from the first group, the values of the second tuple of values from the first group determined by a predetermined relationship of the three generators, the message, and a third and a fourth value selected from the integers modulo p; determining a proof value comprising a matrix of values from the first group, said matrix of values generated using a fifth value selected from the group of integers modulo p and determined by the fifth value, the three generators, the first tuple of values from the first group, the third and fourth values, and the message; and communicating the proof value to a second computing entity.
10. The method as recited in claim 9, wherein identifying a ciphertext comprises receiving the ciphertext from the first computing entity.
11. The method as recited in claim 9, wherein identifying a ciphertext comprises computing the ciphertext.
12. A system for generating a proof, the system comprising: a common reference key comprising a prime group order p, a description of a first group having the group order, a description of a second group having the group order, a description of a bilinear map from the first group to the second group, three generators of the first group, and a first tuple of values from the first group, wherein the first tuple of values from the first group have a predetermined relationship to the three generators and at least a first and a second value selected from the integers modulo p; a message received from a first computing entity; a ciphertext encrypting the message and comprising a second tuple of values from the first group, the values of the second tuple of values from the first group determined by a predetermined relationship of the three generators, the message, and a third and a fourth value selected from the integers modulo p; a proof value comprising a matrix of values from the first group, said matrix of values generated using a fifth value selected from the group of integers modulo p and determined by the fifth value, the three generators, the first tuple of values from the first group, the third and fourth values, and the message; and a communications module for communicating the proof value to a second computing entity.
13. A method for proving that a collection of values satisfies a logical NAND-gate, the method comprising: receiving a first input value bo and a second input value b\ for a NAND-gate and an output value b2 for the NAND-gate; identifying ciphertexts co, C1, and c2 representing bo, b\, and b2 respectively, wherein the cyphertexts are generated using a homomorphic commitment scheme; identifying a ciphertext c3 generated using the homomorphic commitment scheme applied to a message containing -1; generating a proof that Co c\ C2 2 C3 2 contains 0 or 1.
14. A proof system for proving that a collection of values satisfies a logical NAND-gate, the system comprising: a first input value bo and a second input value b\ for a NAND-gate; an output value b2 for the NAND-gate; ciphertexts Co, C1, and c2 representing bo, b\, and b2 respectively, wherein the cyphertexts are generated using a homomorphic commitment scheme; a ciphertext c3 generated using the homomorphic commitment scheme applied to a message containing -1; a proof that Co C1 C2 2 C3 2 contains 0 or 1.
15. A method for proving that a collection of wire assignments satisfies a circuit description, the method comprising: identifying a circuit description; identifying a collection of wire assignments, each wire assignment being associated with an element of the circuit description; identifying a collection of commitments, each commitment being associated with a wire assignment; generating a collection of proofs, each proof being a proof that a triple of wire assignments associated with a NAND-gate of the circuit description satisfies the
NAND-gate; and communicating the collection of proofs to a computing entity.
16. A proof system for proving that a collection of wire assignments satisfies a circuit description, the system comprising: a circuit description; a collection of wire assignments, each wire assignment being associated with an element of the circuit description; a collection of commitments, each commitment being associated with a wire assignment; a collection of proofs, each proof being a proof that a triple of wire assignments associated with a NAND-gate of the circuit description satisfies the NAND-gate; and a communications module for communicating the proofs to a computing entity.
PCT/US2007/075940 2006-08-14 2007-08-14 System for non-interactive zero-knowledge proofs WO2008022158A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US82236506P 2006-08-14 2006-08-14
US60/822,365 2006-08-14

Publications (2)

Publication Number Publication Date
WO2008022158A2 true WO2008022158A2 (en) 2008-02-21
WO2008022158A3 WO2008022158A3 (en) 2008-09-12

Family

ID=39083076

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2007/075940 WO2008022158A2 (en) 2006-08-14 2007-08-14 System for non-interactive zero-knowledge proofs

Country Status (1)

Country Link
WO (1) WO2008022158A2 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014150494A (en) * 2013-02-04 2014-08-21 Nippon Telegr & Teleph Corp <Ntt> Commitment system, common reference string generation apparatus, commitment generation apparatus, commitment reception apparatus, commitment method and program
JP2015011048A (en) * 2013-06-26 2015-01-19 日本電信電話株式会社 Commitment system, common reference information generation device, commit generation device, commit reception device, commitment method and program
US10027654B2 (en) * 2014-10-13 2018-07-17 Morpho Method for authenticating a client device to a server using a secret element
CN109245897A (en) * 2018-08-23 2019-01-18 北京邮电大学 A kind of node authentication method and device based on noninteractive zero-knowledge proof
CN110991655A (en) * 2019-12-17 2020-04-10 支付宝(杭州)信息技术有限公司 Method and device for processing model data by combining multiple parties
CN111886831A (en) * 2018-03-23 2020-11-03 区块链控股有限公司 Computer-implemented system and method for implementing zero-knowledge proof
CN116112181A (en) * 2023-01-17 2023-05-12 中国科学院软件研究所 Universal non-interactive zero knowledge proving method and system

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005093671A2 (en) * 2004-03-25 2005-10-06 Cryptomathic A/S Electronic voting systems

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005093671A2 (en) * 2004-03-25 2005-10-06 Cryptomathic A/S Electronic voting systems

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014150494A (en) * 2013-02-04 2014-08-21 Nippon Telegr & Teleph Corp <Ntt> Commitment system, common reference string generation apparatus, commitment generation apparatus, commitment reception apparatus, commitment method and program
JP2015011048A (en) * 2013-06-26 2015-01-19 日本電信電話株式会社 Commitment system, common reference information generation device, commit generation device, commit reception device, commitment method and program
US10027654B2 (en) * 2014-10-13 2018-07-17 Morpho Method for authenticating a client device to a server using a secret element
CN111886831A (en) * 2018-03-23 2020-11-03 区块链控股有限公司 Computer-implemented system and method for implementing zero-knowledge proof
CN109245897A (en) * 2018-08-23 2019-01-18 北京邮电大学 A kind of node authentication method and device based on noninteractive zero-knowledge proof
CN109245897B (en) * 2018-08-23 2020-06-19 北京邮电大学 Node authentication method and device based on non-interactive zero-knowledge proof
CN110991655A (en) * 2019-12-17 2020-04-10 支付宝(杭州)信息技术有限公司 Method and device for processing model data by combining multiple parties
CN110991655B (en) * 2019-12-17 2021-04-02 支付宝(杭州)信息技术有限公司 Method and device for processing model data by combining multiple parties
CN116112181A (en) * 2023-01-17 2023-05-12 中国科学院软件研究所 Universal non-interactive zero knowledge proving method and system

Also Published As

Publication number Publication date
WO2008022158A3 (en) 2008-09-12

Similar Documents

Publication Publication Date Title
Blum et al. An efficient probabilistic public-key encryption scheme which hides all partial information
Bresson et al. A simple public-key cryptosystem with a double trapdoor decryption mechanism and its applications
Lin et al. An efficient solution to the millionaires’ problem based on homomorphic encryption
EP0503119B1 (en) Public key cryptographic system using elliptic curves over rings
Sen Homomorphic encryption-theory and application
Koblitz et al. A survey of public-key cryptosystems
Zheng et al. Immunizing public key cryptosystems against chosen ciphertext attacks
Zheng et al. Practical approaches to attaining security against adaptively chosen ciphertext attacks
CA2587474A1 (en) New trapdoor one-way function on elliptic curves and their applications to shorter signatures and asymmetric encryption
Jarrous et al. Secure hamming distance based computation and its applications
Hada Secure obfuscation for encrypted signatures
US20020041684A1 (en) Public-key encryption and key-sharing methods
EP2686978B1 (en) Keyed pv signatures
WO2008022158A2 (en) System for non-interactive zero-knowledge proofs
Mohan et al. Homomorphic encryption-state of the art
Mu et al. Distributed signcryption
Jarecki et al. Handcuffing big brother: an abuse-resilient transaction escrow scheme
Lal et al. ID based generalized signcryption
Susilo et al. RSA-based fail-stop signature schemes
Gao et al. Deniable encryptions secure against adaptive chosen ciphertext attack
EP1148675A1 (en) Public key cryptograph and key sharing method
Asbullah et al. A proposed CCA-secure encryption on an ElGamal variant
EP1921790A1 (en) Signature schemes using bilinear mappings
Al-Saidi et al. A new idea in zero knowledge protocols based on iterated function systems
US20020146117A1 (en) Public-key cryptographic schemes secure against an adaptive chosen ciphertext attack in the standard model

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07814087

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase in:

Ref country code: DE

NENP Non-entry into the national phase in:

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 07814087

Country of ref document: EP

Kind code of ref document: A2