Practical Zero-Knowledge Proofs for Circuit Evaluation

Showing that a circuit is satisfiable without revealing information is a key problem in modern cryptography. The related (and more general) problem of showing that a circuit evaluates to a particular value if executed on the input contained in a public commitment has potentially multiple practical applications. Although numerous solutions for the problem had been proposed, their practical applicability is poorly understood. In this paper, we take an important step towards moving existent solutions to practice. We implement and evaluate four solutions for the problem. We investigate solutions both in the common reference string model and the random oracle model. In particular, in the CRS model we use the recent techniques of Groth---Sahai for proofs that use bilinear groups in the asymmetric pairings environment. We provide various optimizations to the different solutions we investigate. We present timing results for two circuits the larger of which is an implementation of AES that uses about 30000 gates.

[1]  Yi Mu,et al.  Zero-Knowledge Proofs of Possession of Digital Signatures and Its Applications , 1999, ICICS.

[2]  Ivan Damgård,et al.  Non-Interactive Circuit Based Proofs and Non-Interactive Perfect Zero-knowledge with Proprocessing , 1992, EUROCRYPT.

[3]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[4]  José D. P. Rolim,et al.  Randomization and Approximation Techniques in Computer Science , 2002, Lecture Notes in Computer Science.

[5]  Yvo Desmedt,et al.  Advances in Cryptology — CRYPTO ’94 , 2001, Lecture Notes in Computer Science.

[6]  Ernest F. Brickell,et al.  Advances in Cryptology — CRYPTO’ 92 , 2001, Lecture Notes in Computer Science.

[7]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[8]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[9]  Ivan Damgård,et al.  Zero-Knowledge Proofs for Finite Field Arithmetic; or: Can Zero-Knowledge be for Free? , 1998, CRYPTO.

[10]  Tatsuaki Okamoto,et al.  Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes , 1992, CRYPTO.

[11]  Vijay Varadharajan,et al.  Information and Communication Security , 1999, Lecture Notes in Computer Science.

[12]  Mihir Bellare,et al.  Fast Batch Verification for Modular Exponentiation and Digital Signatures , 1998, IACR Cryptol. ePrint Arch..

[13]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[14]  Moni Naor Advances in Cryptology - EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20-24, 2007, Proceedings , 2007, EUROCRYPT.

[15]  Jan Camenisch,et al.  Efficient group signature schemes for large groups , 1997 .

[16]  Joseph Bonneau,et al.  What's in a Name? , 2020, Financial Cryptography.

[17]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[18]  Joe Kilian,et al.  An Efficient Noninteractive Zero-Knowledge Proof System for NP with General Assumptions , 1998, Journal of Cryptology.

[19]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[20]  Jan Camenisch,et al.  Batch Verification of Short Signatures , 2007, EUROCRYPT.

[21]  Rafail Ostrovsky,et al.  Non-interactive Zaps and New Techniques for NIZK , 2006, CRYPTO.

[22]  Adi Shamir,et al.  Multiple non-interactive zero knowledge proofs based on a single random string , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[23]  Dan Boneh,et al.  Evaluating 2-DNF Formulas on Ciphertexts , 2005, TCC.

[24]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[25]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..

[26]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[27]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[28]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .

[29]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[30]  Cynthia Dwork,et al.  Advances in Cryptology – CRYPTO 2020: 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17–21, 2020, Proceedings, Part III , 2020, Annual International Cryptology Conference.

[31]  Nigel P. Smart,et al.  Advances in Cryptology - EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, April 13-17, 2008. Proceedings , 2008, EUROCRYPT.

[32]  Rainer A. Rueppel Advances in Cryptology — EUROCRYPT’ 92 , 2001, Lecture Notes in Computer Science.

[33]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[34]  Frederik Vercauteren,et al.  The Eta Pairing Revisited , 2006, IEEE Transactions on Information Theory.

[35]  Giovanni Di Crescenzo,et al.  Non-Interactive Zero-Knowledge: A Low-Randomness Characterization of NP , 1999, ICALP.

[36]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[37]  Giovanni Di Crescenzo,et al.  Randomness-Optimal Characterization of Two NP Proof Systems , 2002, RANDOM.

[38]  Nigel P. Smart,et al.  On Computing Products of Pairings , 2006, IACR Cryptol. ePrint Arch..

[39]  Michael Szydlo,et al.  Risk Assurance for Hedge Funds Using Zero Knowledge Proofs , 2005, Financial Cryptography.

[40]  Rafail Ostrovsky,et al.  Perfect Non-Interactive Zero Knowledge for NP , 2006, IACR Cryptol. ePrint Arch..

[41]  Ernest F. Brickell,et al.  Fast Exponentiation with Precomputation (Extended Abstract) , 1992, EUROCRYPT.