Short Non-interactive Zero-Knowledge Proofs
Jens Groth
University College London
Non-interactive zero-knowledge proof
(x,w)RL
CRS:
0100…11010
Statement: xL
Proof: 
Zero-knowledge:
Prover
Nothing but truth revealed
Soundness:
Verifier
Statement is true
Non-interactive zero-knowledge proofs
Adaptive soundness:
• Statement C is satisfiable circuit
Adversary sees CRS
before attempting to
• Perfect completeness
cheat with false (C,)
• Statistical soundness
• Computational zero-knowledge
• Uniformly random common reference string
• Efficient prover – probabilistic polynomial time
• Deterministic polynomial time verifier
Our results
• Security level: 2-k
• Trapdoor perm size: kT = poly(k)
• Circuit size: |C| = poly(k)
• Witness size: |w|  |C|
CRS in bits
Proof in bits
Assumption
Kilian-Petrank
|C|∙kT∙k∙(log k)
|C|∙kT∙k∙(log k)
Trapdoor perms
This work
|C|∙kT∙polylog(k) |C|∙kT∙polylog(k) Trapdoor perms
CRS in bits
Proof in bits
Assumption
Gentry
poly(k)
|w|∙poly(k)
Lattice-based
G-Ostrovsky-Sahai
k3/polylog(k)
|C|∙k3/polylog(k)
Pairing-based
This work
|C|∙polylog(k)
|C|∙polylog(k)
Naccache-Stern
Hidden random string - soundness
Statement: xL
(x,w)RL
0
1
0
1
Hidden random string – zero-knowledge
Statement: xL
0
1
Two new techniques
• More efficient use of hidden random bits
– Kilian-Petrank:|C|∙k∙(log(k)) hidden random bits
– This work:
|C|∙polylog(k) hidden random bits
• More efficient implementation of hidden bits
– Trapdoor permutations:
kT = poly(k) bits per hidden random bit
– Naccache-Stern encryption:
O(log k)
bits per hidden random bit
Implementing the hidden random bits model
Statement: xL
(x,w)RL
E01...0
c1 1)
pk(0;r
E11…1
1pkc(1;r
; 2r2 2)
E00…1
(0;r
pkc
33 3)
K(1k)  (pk,sk)
E10…0
0pkc(1;r
; 4r4 4)
Naccache-Stern encryption
• pk = (M,P,g)
sk = (M)
– M is an RSA modulus
– P = p1p2…pd where p1,…,pd are O(log k) bit primes
– P | ord(g) = (M)/4 and |P| = O(|M|)
• Epk(m;r) = gmrP mod M
• Dsk(c):
For each pi compute m mod pi
c(M)/pi = (g(M)/pi)m
Chinese remainder gives m mod P
Naccache-Stern implementation of hidden bits
Statement: xL
(x,w)RL
?1?
E01...0
(010;r
; 1 1)
pkc
1
10?
E
(101;r
11…1
pkc
2; 2 2)
??1
;
E
(011;r
00…1
pkc
3 3 3)
K(1k)  (pk,sk)
E
???
10…0
c4; 4 4)
pk(110;r
0 if m mod pi even
1 if m mod pi odd
 if m mod pi is -1
Revealing part of Naccache-Stern plaintext
•
•
•
•
•
•
•
Ciphertext c = gmrP
How to prove that m = x mod pi?
Prover reveals  such that P = (cg-x)(M)/pi
Shows P = (gm-xrP)(M)/pi = (g(M)/pi)m-x
-1 mod (M)/P)P/p
-x
(P
i
Can compute the proof as  = (cg )
Can randomize proof by multiplying with s(M)/P
Generalizes to reveal m mod iSpi with a proof
consisting of one group element
Zero-knowledge
• Simulator sets up pk = (M,P,g) such that
ord(g) = (M)/4P and g = hP mod M
• Simulator also sets up the CRS such that it only
contains ciphertexts of the form gt mod M
• For any m  ZP we can compute r = ht-m mod M
such that
gt = gm(gt-m) = gmrP mod M
• This means the simulator can open each
ciphertext to arbitrary hidden bits
Efficient use of the hidden random bits
Statement: xL
(x,w)RL
0
1
0
1
Kilian-Petrank
• Random bits not useful; need bits withProbably
structure
hidden
pairs
• Use statistical sampling to get “good”
blocks
are 00 and 11
10
11
00
01
Kilian-Petrank continued
• Reveal blocks of bits so remaining “good” blocks
of bits have a particular structure (statistically)
• Reduce C to a 3SAT formula 
• Assign remaining “good” blocks to variables in 
• For each clause reveal some bits in the blocks
assigned to the literals of the clause
• An unsatisfied clause has some probability of the
revealed bits not satisfying certain criterion
• Repeat many times to make the probability of
cheating negligible for each clause
Probabilistically checkable proofs
• Polynomial time algorithms f, fw:
f: C  
fw: w  x
 belongs to gap-3SAT5
if C(w)=1 then (x)=1
•  is a gap-3SAT5 formula
– All variables appear in exactly 5 clauses – thrice as
positive literal and twice as negative
– Either all clauses are simultaneously satisfiable or a
constant fraction are unsatisfiable
Strategy
• Compute  = f(C) and prove that it is satisfiable
• With the most efficient probabilistically checkable
proofs (Dinur 07 combined with BenSassonSudan 08) we have || = |C| polylog(k)
• Seems counterintuitive to make statement larger
• However, since  allows for a constant fraction of
“errors” less repetition is needed to make the
overall soundness error negligible
• It is ok if the prover cheats on some clauses as
long as cannot cheat on a constant fraction
Summary
• Technique 1: Reduce soundness error with
probabilistically checkable proofs
Hidden bits
Proof in bits
Assumption
Kilian-Petrank
|C|∙kT∙k∙(log k)
|C|∙kT∙k∙(log k)
Trapdoor perms
This work
|C|∙kT∙polylog(k) |C|∙kT∙polylog(k) Trapdoor perms
• Technique 2: Implement hidden random bit string
with Naccache-Stern encryption
CRS in bits
Proof in bits
Assumption
Gentry
poly(k)
|w|∙poly(k)
Lattice-based
G-Ostrovsky-Sahai
k3/polylog(k)
|C|∙k3/polylog(k)
Pairing-based
This work
|C|∙polylog(k)
|C|∙polylog(k)
Nacache-Stern