Short Pairing-based Non-interactive Zero-Knowledge Arguments
Size: px
Start display at page:

Download "Short Pairing-based Non-interactive Zero-Knowledge Arguments"

Transcription

1 Short Parng-based Non-nteractve Zero-Knowledge Arguments Jens Groth Unversty College London October 26, 2010 Abstract. We construct non-nteractve zero-knowledge arguments for crcut satsfablty wth perfect completeness, perfect zero-knowledge and computatonal soundness. The non-nteractve zero-knowledge arguments have sub-lnear sze and very effcent publc verfcaton. The sze of the non-nteractve zero-knowledge arguments can even be reduced to a constant number of group elements f we allow the common reference strng to be large. Our constructons rely on groups wth parngs and securty s based on two new cryptographc assumptons; we do not use the Fat-Shamr heurstc or random oracles. Keywords: Sub-lnear sze non-nteractve zero-knowledge arguments, parng-based cryptography, power knowledge of exponent assumpton, computatonal power Dffe-Hellman assumpton. 1 Introducton Zero-knowledge proofs ntroduced by Goldwasser, Mcal and Rackoff [GMR89] are fundamental buldng blocks n cryptography that are used n numerous protocols. Zero-knowledge proofs enable a prover to convnce a verfer of the truth of a statement wthout leakng any other nformaton. The central propertes are captured n the notons of completeness, soundness and zero-knowledge. Completeness: The prover can convnce the verfer f the prover knows a wtness testfyng to the truth of the statement. Soundness: A malcous prover cannot convnce the verfer f the statement s false. We dstngush between computatonal soundness that protects aganst polynomal tme cheatng provers and statstcal or perfect soundness where even an unbounded prover cannot convnce the verfer of a false statement. We wll call computatonally sound proofs for arguments. Zero-knowledge: A malcous verfer learns nothng except that the statement s true. We dstngush between computatonal zero-knowledge, where a polynomal tme verfer learns nothng from the proof and statstcal or perfect zero-knowledge, where even a verfer wth unlmted resources learns nothng from the proof. The frst zero-knowledge proofs reled on nteracton between the prover and the verfer. Many cryptographc tasks are carred out off-lne though; for nstance sgnng or encryptng messages. For these tasks t s desrable to have non-nteractve zero-knowledge (NIZK) proofs, where there s no nteracton and a proof just conssts of a sngle message from the prover to the verfer. Unfortunately, only languages n BPP have NIZK proofs n the plan model wthout any setup [Ore87,GO94,GK96]. However, Blum, Feldman and Mcal [BFM88] ntroduced NIZK proofs n the common reference strng model, where both the prover and verfer Supported by Engneerng and Physcal Scences Research Councl grant number EP/G013829/1.

2 have access to a common reference strng generated n a trusted way. Such NIZK proofs have many applcatons, rangng from early chosen cphertext attack secure publc-key cryptosystems [DDN00,Sah01] to recent advanced sgnature schemes [CGS07,BW06]. For ths reason there has been a lot of research nto the underlyng assumptons [FLS99,BCNP04,GO07], the effcency [Dam92,DDP02,KP98,Gro10], and the securty guarantees offered by NIZK proofs [DP92,Sah01,DDO + 02]. NIZK proofs based on standard cryptographc assumptons used to be neffcent and not useful n practce. To get around ths neffcency, appled cryptographers have reled on the socalled Fat-Shamr heurstc for transformng publc-con nteractve zero-knowledge proofs nto NIZK arguments by usng a cryptographc hash-functon to compute the verfer s challenges. The Fat-Shamr heurstc can gve very effcent NIZK arguments that are secure n the random oracle model [BR93], where the cryptographc hash-functon s modeled as a random functon. It s for nstance possble to use the Fat-Shamr heurstc to transform sub-lnear sze nteractve publc-con zero-knowledge arguments [Kl92] nto sub-lnear sze non-nteractve zero-knowledge arguments [Mc00]. Unfortunately, there are several examples of protocols that are secure n the random oracle model, but do not have any secure standard model nstantaton no matter whch hash-functon s used [CGH98,CGH04,MRH04,BBP04,Ne02]. Partcularly relevant here s Goldwasser and Kala s [GK03] demonstraton of a sgnature scheme bult from a publc-con dentfcaton scheme that s secure n the random oracle model but nsecure n real lfe. Whle t s possble that the Fat-Shamr heurstc s secure for natural protocols, t s worthwhle to nvestgate alternatve approaches. Another way to get around the neffcency of tradtonal NIZK proofs s to use non-nteractve desgnated verfer proofs. In a desgnated verfer proof, the proof s not publcly verfable; t can only be verfed by a desgnated verfer. Damgård, Fazo and Ncolos [DFN06] gave an effcent lnear sze non-nteractve desgnated verfer proof for crcut satsfablty based on an assumpton related to Paller encrypton. Desgnated verfer proofs suffce for some applcatons, for nstance Cramer and Shoup s chosen cphertext attack secure publc-key cryptosystem [CS98]. In many other cases, the lack of publc verfablty s problematc though. When there s only one desgnated verfer, t s for nstance not possble to use them to construct advanced dgtal sgnatures, such as rng sgnatures and group sgnatures, snce here non-repudaton reles on publc verfablty. Recent works on NIZK proofs has used blnear groups to mprove effcency. Groth, Ostrovsky and Saha [GOS06b,GOS06a] gave NIZK proofs for crcut satsfablty where the proof conssts of O( C ) group elements, wth C beng the number of gates n the crcut. Ther NIZK proofs have the property that they can be set up to gve ether perfect soundness and computatonal zero-knowledge, or alternatvely computatonal soundness and perfect zero-knowledge. Works by Boyen, Waters, Groth and Saha [BW06,BW07,Gro06,GS08] have explored how to buld effcent NIZK proofs that are drectly applcable n blnear groups nstead of gong through crcut satsfablty. In some specal cases, for nstance n the rng sgnature of Chandran, Groth and Saha [CGS07], these technques lead to sub-lnear sze NIZK proofs but n general the number of group elements n an NIZK proof grows lnearly n the sze of the statement. Abe and Fehr [AF07] gave a constructon based on commtments nstead of encryptons, but snce there s a commtment for each wre they also get a lnear growth n the sze of the crcut. Lookng at the NP-complete problem of crcut satsfablty, the reason the NIZK proofs grow lnearly n the crcut sze s that they encrypt the value of each wre n the crcut. Gentry s new fully homomorphc cryptosystem [Gen09] can reduce the NIZK proof to beng lnear n the sze of

3 the wtness: The prover encrypts the nputs to the crcut and uses the homomorphc propertes of the cryptosystem to compute the output of the crcut. The prover then gves NIZK proofs for the nput cphertexts beng vald and the output cphertext contanng 1. Fully homomorphc encrypton only helps when the crcut has a small wtness though; f the crcut has a lnear number of nput wres the resultng NIZK proof wll also be lnear n the crcut sze. 1.1 Our Contrbuton Mcal s CS proofs [Mc00] ndcated the possblty of sub-lnear sze NIZK arguments, but despte more than a decade of research the Fat-Shamr heurstc s the only known strategy for constructng sub-lnear sze NIZK arguments. Our goal s to ntroduce a new type of sub-lnear sze NIZK arguments where securty does not rely on the random oracle model. We construct NIZK arguments for crcut satsfablty wth perfect completeness, computatonal soundness and perfect zero-knowledge (see Secton 2 for defntons). The NIZK arguments are short and very effcent to verfy, but the prover uses a super-lnear number of group operatons. We frst gve an NIZK argument consstng of a constant number of group elements but havng a long common reference strng. We then show that t s possble to reduce the sze of the common reference strng at the cost of ncreasng the sze of the NIZK argument makng them smultaneously sub-lnear n the crcut sze. The soundness of our NIZK argument reles on the q-computatonal power Dffe-Hellman and the q-power knowledge of exponent assumptons (see Secton 3). The q-cpdh assumpton s a normal computatonal ntractablty assumpton but the q-pke s a so-called knowledge of exponent assumpton. Knowledge of exponent assumptons have been crtczed for beng unfalsfable [Nao03] but the use of a non-standard assumpton may be unavodable snce Abe and Fehr [AF07] have demonstrated that no statstcal zero-knowledge NIZK argument for an NPcomplete language can have a drect black-box securty reducton to a standard cryptographc assumpton unless NP P/poly. 12 Table 1 gves a quck comparson to other NIZK proofs and arguments for crcut satsfablty, where k s a securty parameter, G stands for the sze of a group element, M and E are the costs of respectvely multplcatons and exponentatons, and P s the cost of a parng n a blnear group (see Secton 3). Compared to other parng-based NIZK arguments, our arguments are smaller and faster to verfy. The prover uses a super-lnear number of multplcatons and the computatonal cost may grow beyond a lnear number of exponentatons. The publc verfablty means that the NIZK arguments are transferable though; they can be coped and dstrbuted to many dfferent enttes that can do ther own ndependent verfcaton. The prover only pays a one-tme cost for computng the NIZK argument, whle all verfers enjoy the benefts of low transmsson bandwdth and effcent verfcaton. 1 Abe and Fehr do not rule out the exstence of statstcal NIZK arguments wth non-adaptve soundness, where the adversary chooses the statement oblvously of the common reference strng. Snce the common reference strng s publc t s more natural to defne soundness adaptvely though; ndeed we do not know of any practcal applcatons of NIZK arguments wth non-adaptve soundness. 2 The very assumpton that an NIZK argument s sound seems to be unfalsfable as well snce even f an adversary outputs a false statement and a convncng NIZK argument t may be hard to verfy that the statement s false. Groth, Ostrovsky and Saha [GOS06b] crcumvented ths problem by defnng co-soundness for languages n NP conp, whch s falsfable snce the adversary can produce a conp-wtness certfyng that the statement s false.

4 CRS sze Proof sze Prover comp. Verfer comp. Sound ZK Assumpton Groth [Gro10] Õ( C ) G Õ( C ) G Õ( C ) E Õ( C ) M stat. comp. trapdoor perm. Groth [Gro10] Õ( C ) bts Õ( C ) bts Õ( C ) M Õ( C ) M stat. comp. Naccache-Stern Gentry [Gen09] O(1) G w k O(1) G C k O(1) M C k O(1) M stat. comp. lattce-based Groth-Ostrovsky-Saha O(1) G O( C ) G O( C ) E O( C ) P perf. comp. subgroup decson or [GOS06b,GOS06a] O(1) G O( C ) G O( C ) E O( C ) E comp. perf. decson lnear Abe-Fehr [AF07] O(1) G O( C ) G O( C ) E O( C ) E comp. perf. knowledge of expo. Groth [Gro09] O( C ) G O( C 2 ) G O( C ) M O( C ) M comp. perf. random oracle Ths paper O( C 2 ) G O(1) G O( C 2 ) M O( C ) M comp. perf. PKE and CDHP Ths paper O( C ) G O( C 3 ) G 4 O( C 3 ) M O( C ) M comp. perf. PKE and CDHP Table 1. Comparson of NIZK proofs and arguments. NIZK arguments based on the Fat-Shamr heurstc are more effcent than our NIZK arguments. These are nteractve zero-knowledge arguments (and nteracton seems to help) that rely on a cryptographc hash-functon to compute the verfer s challenges. The securty proofs for soundness rely on the assumpton that the hash-functon can be modeled as a source of random cons though, whch seems to mply at least some type of knowledge extracton assumpton that a hash-value can only be obtaned f the adversary knows the nput beforehand. Furthermore, the cryptographc hash-functon s determnstc and therefore t s clearly false that t s a random functon. In contrast, the q-kpe assumpton s as far as we know true. Even though the random oracle assumpton s false and even though there are examples of the Fat-Shamr heurstc leadng to nsecure arguments [GK03] t may be that a partcular NIZK argument based on the Fat-Shamr heurstc s sound. However, we beleve t s worthwhle to nvestgate alternatves to the Fat-Shamr heurstc. Perfect Zaps. The common reference strng model assumes a trusted setup for generatng common reference strngs and makng them avalable to the prover and verfer. In case no such setup s avalable 3 we can stll get a sub-lnear sze 2-move publcly verfable wtnessndstngushable argument where the verfers frst message can be reused many tmes, a socalled Zap [DN00], as follows: The verfer generates a common reference strng. The prover verfes that the common reference strng s well-formed (our common reference strng s not a random bt-strng, but t does have a certan structure that makes t possble to verfy that t s well-formed) and can now make arbtrarly many Zaps usng the verfer ntal message as the common reference strng. Snce our NIZK argument s perfectly zero-knowledge, the Zaps wll be perfectly wtness-ndstngushable. 1.2 Outlne of Our NIZK Argument We wll construct NIZK arguments for the exstence of an nput to a bnary crcut C makng t output 1. At a loss of a constant factor, we may assume C s bult entrely from NAND-gates. Furthermore, f we label the output wre a we may add a self-loop to the crcut consstng of a NAND-gate a = (a b) forcng a to be 1. Ths reduces the challenge to prove that there s an assgnment of truth-values to the wres that respect all the N = C NAND-gates n the crcut. The NIZK argument reles on length-reducng commtments where we can commt to n values n a fnte feld Z p usng only a constant number of group elements. The commtment 3 We remark that even f the common reference strng s adversarally chosen the sub-lnearty of our NIZK arguments mpose an nformaton theoretc upper bound on how much nformaton can be leaked.

5 scheme should be homomorphc, whch means that we can combne two commtments to get a new comtment contanng the entry-wse sum of ther values. We wll also use non-nteractve arguments consstng of a constant number of group elements for provng the followng propertes about commtted values: Entry-wse product: Commtments c, d, v contan values a 1,..., a n, b 1,..., b n and u 1,..., u n that satsfy u = a b for all. Permutaton: Commtments c, d contan values a 1,..., a n and b 1,..., b n that satsfy b = a ρ() for all, where ρ s a publcly known permutaton of n elements. Let us sketch how homomorphc commtments combned wth these two types of nonnteractve arguments gve us a constant sze NIZK argument for crcut satsfablty when n = 2N. The prover gets as a wtness for the satsfablty of the crcut a 1,..., a N and b 1,..., b N such that a, b are the nputs to gate and all the values are consstent wth the wres and respect the NAND-gates. We wll use the conventon that 0 corresponds to false and 1 corresponds to true, so f u s the output of gate we have 1 u = a b. The prover makes commtments to the 2N-tuples (a 1,..., a N, b 1,..., b N ) (b 1,..., b N, 0,..., 0) (u 1,..., u N, 0,..., 0). The prover gves an entry-wse product argument wth both c, d and v beng the commtment to (a 1,..., a N, b 1,..., b N ) to show a = a 2 and b = b 2 for all. Ths shows that a 1,..., a N, b 1,..., b N {0, 1} are approprate truth values. An output of one NAND-gate may be the nput of other NAND-gates, whch means the correspondng values a 1,..., a l, b j1,..., b jm have to have the same assgnment. The prover pcks a permutaton ρ that contans cycles l j 1 +N j 2 +N... j m +N 1 for all such sets of values that have to be consstent and gves a permutaton argument on the commtment to (a 1,..., a N, b 1,..., b N ). Ths shows for each set of values correspondng to the same output wre that a 2 = a 1,..., b j1 = a l,..., b jm = b jm 1 so the values (a 1,..., a N, b 1,..., b N ) are consstent wth the wrng of the crcut. The prover uses addtonal commtments and entry-wse product and permutaton arguments to show that the other commtted values (b 1,..., b N, 0,..., 0) and (u 1,..., u N, 0,..., 0) are consstent wth the wrng of the crcut and the values (a 1,..., a N, b 1,..., b N ), we refer to Secton 8 for the detals. Fnally, the prover uses the entry-wse product argument to show that the entry-wse product of (a 1,..., a N, b 1,..., b N ) and (b 1,..., b N, 0,..., 0) s (1 u 1,..., 1 u N, 0,..., 0) so all the values respect the NAND gates. The latter commtment to (1 u 1,..., 1 u N, 0,..., 0) can easly be created from the commtment to (u 1,..., u N, 0,..., 0) usng the homomorphc property of the commtment scheme. Ths outlne shows how to get a constant sze NIZK argument for crcut satsfablty, but to enable the entry-wse product arguments and the permutaton arguments the common reference strng has sze O(N 2 ) group elements. In Secton 9 we reduce the common reference strng sze by usng commtments to n elements where n < N. Wth n smaller than 2N we need to gve permutaton arguments that span accross multple commtments though. Usng permutaton network technques [Clo53] we manage to buld such large permutatons from many smaller permutatons. The techncal contrbuton of ths paper s the constructon of an approprate commtment scheme wth correspondng non-nteractve entry-wse product and permutaton arguments. The

6 commtment scheme s a varant of the Pedersen commtment scheme, where the commtment key s of the form (g, g x,..., g xq ). A commtment to a 1,..., a q s a sngle group element computed as g r q =1 (gx ) a. The nce thng about ths commtment scheme s that the dscrete logarthm s a smple polynomal r + q =1 a x. When we par two commtments wth each other we get a product of two polynomals n the exponent. By takng approprate lnear combnatons over products of polynomals, we can express entry-wse products and permutatons as equatons over the coeffcents of these polynomals. The q-cpdh assumpton then allows us to conclude that these coeffcents are dentcal and therefore the commtted values satsfy an entry-wse multplcaton relatonshp or a permutaton relatonshp to each other. When parng commtments (equvalent to multplyng polynomals n the exponent) there wll be varous cross-terms. The role of the non-nteractve arguments wll be to cancel out these terms. Usually, a sngle group element pared wth g suffces to cancel out all the cross-terms, so the non-nteractve arguments for entry-wse products and permutatons are hghly effcent themselves. To prove that our NIZK argument s sound, we need to reason about the coeffcent of these polynomals. However, a cheatng prover mght create a commtment wthout knowng an openng of t. Ths s where the q-pke assumpton comes n handy: the prover gves nonnteractve arguments demonstratng that t knows the openngs of the commtments. By ths we mean that there s an extractor that gven the same nput as the prover can reconstruct the commtments together wth the openngs of the commtments. 2 Defntons Let R be an effcently computable bnary relaton. For pars (C, w) R we call C the statement and w the wtness. Let L be the NP-language consstng of statements wth wtnesses n R. When we restrct ourselves to statements of sze N, we wrte respectvely L N and R N. A non-nteractve argument for a relaton R conssts of a common reference strng generator algorthm K, a prover algorthm P and a verfer algorthm V that run n probablstc polynomal tme. The common reference strng generator takes as nput a securty parameter k and may also take addtonal nputs and produces a common reference strng σ. In our case, the addtonal nput to the key generaton algorthm may be a value N N specfyng the sze of statements we are nterested n. The prover takes as nput (σ, C, w) and produces an argument π. The verfer takes as nput (σ, C, π) and outputs 1 f the argument s acceptable and 0 f rejectng the argument. We call (K, P, V ) an argument for R f t has the completeness and soundness property descrbed below. Perfect completeness. Completeness captures the noton that an honest prover should be able to convnce an honest verfer f the statement s true. For all adversares A and N = k O(1) we have ] Pr [σ K(1 k, N); (C, w) A(σ); π P (σ, C, w) : V (σ, C, π) = 1 f (C, w) R N = 1. Computatonal soundness. Soundness captures the noton that t should be nfeasble for an adversary to come up wth an acceptng argument for a false statement. For all non-unform polynomal tme adversares A and N = k O(1) we have [ ] Pr σ K(1 k, N); (C, π) A(σ) : C / L and V (σ, C, π) = 1 0.

7 Perfect wtness-ndstngushablty. We say a non-nteractve argument (K, P, V ) s perfectly wtness-ndstngushable f t s mpossble to tell whch wtness the prover when there are many possble wtnesses. For all stateful nteractve adversares A and N = k O(1) we have [ ] Pr σ K(1 k, N); (C, w 0, w 1 ) A(σ); π P (σ, C, w 0 ) : (C, w 0 ), (C, w 1 ) R N and A(π) = 1 [ ] = Pr σ K(1 k, N); (C, w 0, w 1 ) A(σ); π P (σ, C, w 1 ) : (C, w 0 ), (C, w 1 ) R N and A(π) = 1. Perfect zero-knowledge. An argument s zero-knowledge f t does not leak any nformaton besdes the truth of the statement. We say a non-nteractve argument (K, P, V ) s perfect zero-knowledge f there exsts a polynomal tme smulator S = (S 1, S 2 ) wth the followng zeroknowledge property. S 1 outputs a smulated common reference strng and a smulaton trapdoor. S 2 takes the common reference strng, the smulaton trapdoor and a statement as nput and produces a smulated argument. For all stateful nteractve adversares A and N = k O(1) we requre [ ] Pr σ K(1 k, N); (C, w) A(σ); π P (σ, C, w) : (C, w) R N and A(π) = 1 [ ] = Pr (σ, τ) S 1 (1 k, N); (C, w) A(σ); π S 2 (σ, τ, C) : (C, w) R N and A(π) = 1. 3 Blnear Groups Notaton. Gven two functons f, g : N [0, 1] we wrte f(k) g(k) when f(k) g(k) = O(k c ) for every constant c > 0. We say that f s neglgble when f(k) 0 and that t s overwhelmng when f(k) 1. We wrte y = A(x; r) when the algorthm A on nput x and randomness r, outputs y. We wrte y A(x) for the process of pckng randomness r at random and settng y = A(x; r). We also wrte y S for samplng y unformly at random from the set S. We wll assume t s possble to sample unformly at random from sets such as Z p. We defne [n] to be the set {1, 2,..., n}. Blnear groups. Let G take a securty parameter k wrtten n unary as nput and output a descrpton of a blnear group (p, G, G T, e) G(1 k ) such that 1. p s a k-bt prme. 2. G, G T are cyclc groups of order p. 3. e : G G s a blnear map (parng) such that a, b : e(g a, g b ) = e(g, g) ab. 4. If g generates G then e(g, g) generates G T. 5. Membershp n G, G T can be effcently decded, group operatons and the parng e are effcently computable, generators are effcently sampleable, and the descrptons of the groups and group elements each have sze O(k) bts. The securty of our NIZK arguments wll be based on two new assumptons, whch we call respectvely the q-power knowledge of exponent assumpton and the q-computatonal power Dffe-Hellman assumpton. The q-power knowledge of exponent assumpton. The knowledge of exponent (KEA) assumpton ntroduced by Damgård [Dam91] says that gven g, g α t s nfeasble to create c, ĉ so ĉ = c α wthout knowng a so c = g a and ĉ = (g α ) a. Bellare and Palaco [BP04] extended

8 ths to the KEA3 assumpton, whch says that gven g, g x, g α, g αx t s nfeasble to create c, ĉ so ĉ = c α wthout knowng a 0, a 1 so c = g a 0 (g x ) a 1 and ĉ = (g α ) a 0 (g αx ) a 1. Ths assumpton has been used also n blnear groups by Abe and Fehr [AF07] who called t the extended knowledge of exponent assumpton. The q-power knowledge of exponent assumpton s a generalzaton of KEA and KEA3. It says that gven (g, g x,..., g xq, g α, g αx,..., g αxq ) t s nfeasble to create c, ĉ so ĉ = c α wthout knowng a 0,..., a q so c = q =0 (gx ) a and ĉ = q =0 (gαx ) a. We wll now gve the formal defnton of the q-power knowledge of exponent assumpton. Followng Abe and Fehr [AF07] we wrte (y; z) (A X A )(x) when A on nput x outputs y and X A on the same nput (ncludng the random tape of A) outputs z. Defnton 1 (q-pke). The q(k)-power knowledge of exponent assumpton holds for G f for every non-unform probablstc polynomal tme adversary A there exsts a non-unform probablstc polynomal tme extractor X A so [ Pr (p, G, G T, e) G(1 k ) ; g G \ {1} ; α, x Z p ; σ = (p, G, G T, e, g, g x,..., g xq, g α, g αx,..., g αxq ) ; n (c, ĉ ; a 0,..., a q ) (A X A )(σ) : ĉ = c α c g a x ] 0. We gve a heurstc argument for belevng n the q-pke assumpton by showng that t holds n the generc group model n Appendx A. The q-computatonal power Dffe-Hellman assumpton. The computatonal Dffe- Hellman (CDH) assumpton says that gven g, g β, g x t s nfeasble to compute g βx. The q- computatonal power Dffe-Hellman assumpton s a generalzaton of the CDH assumpton that says gven (g, g x,..., g xq, g β, g βx,..., g βxq ) except for one mssng elements g βxj, t s hard to compute the mssng element. Defnton 2 (q-cpdh). The q(k)-computatonal power Dffe-Hellman assumpton holds for G f for all j {0,..., q} and all non-unform probablstc polynomal tme adversares A we have [ Pr (p, G, G T, e) G(1 k ) ; g G \ {1} ; β, x Z p ; y (A, X A )(p, G, G T, e, g, g x,..., g xq, =0 g β, g βx,..., g βxj 1, g βxj+1,..., g βxq ) : y = g βxj] 0. We gve a heurstc argument for belevng n the q-cpdh assumpton by showng that t holds n the generc group model n Appendx A. 4 Knowledge Commtment We wll use a varant of the Pedersen commtment scheme n our NIZK proof where we commt to a 1,..., a q as c = g r [q] ga. In the securty proof of our NIZK argument for 3SAT we wll need to extract the commtted values a 1,..., a q ; but the commtment scheme tself s perfectly hdng and does not reveal the commtted values. For ths reason, we wll requre the prover to create a related commtment ĉ = ĝ [q] ĝa and wll rely on the q-pke assumpton for extractng the commtted values. We call (c, ĉ) a knowledge commtment, snce the prover cannot make a vald commtment wthout knowng the commtted values.

9 Key generaton: Pck gk = (p, G, G T, e) G(1 k ) g G \ {1} ; x, α Z p. The commtment key s ck = (gk, g, g 1,..., g q, ĝ, ĝ 1..., ĝ q ) = (gk, g, g x,..., g xq, g α, g αx,..., g αxq ) and the trapdoor key s tk = x. Commtment: To commt to a 1,..., a q pck r Z p and compute the knowledge commtment (c, ĉ) as c = g r g a ĉ = ĝ r ĝ a. [q] Gven (c, ĉ) G 2 we can verfy that t s well-formed by checkng e(g, ĉ) = e(c, ĝ). Trapdoor commtment: To make a trapdoor commtment sample trapdoor randomness t Z p and compute the knowledge commtment (c, ĉ) as c = g t ; ĉ = ĝ t. Trapdoor openng: The trapdoor openng algorthm on messages a 1,..., a q the randomzer r = t [q] a x. The trapdoor openng satsfes c = g r [q] ga ĉ = ĝ r [q] ĝa. [q] Z p returns and The commtment scheme has propertes smlar to those of standard Pedersen commtments as the followng theorem shows. Theorem 1. The commtment scheme s perfectly trapdoor and computatonally bndng. Assumng the q-pke assumpton holds, there exsts for any non-unform probablstc polynomal tme commtter A a non-unform probablstc polynomal tme extractor X A that computes the contents of the commtment when gven the nput of A (ncludng any random cons). Proof. To see that the commtment s perfectly trapdoor and perfectly hdng, consder an arbtrary q-tuple of messages (a 1,..., a q ). Snce g s a generator of G, both the real commtment algorthm and the trapdoor commtment algorthm generates a random group element c G and the other part s gven by ĉ = c α. Gven c and a 1,..., a q the randomzer s determned unquely, so real commtments and ther openngs have the same dstrbuton as trapdoor commtments and trapdoor openngs. To prove that the commtment scheme s bndng, suppose a non-unform probablstc tme adversary creates two openngs (r, a 1,..., a q ) and (s, b 1,..., b q ) of the same commtment,.e., g r [q] ga g r s [q] ga b = g s [q] gb. By the homomorphc property of the commtment scheme we have = 1, whch mples r s+ [q] (a b )x = 0. By Lemma 1 there s neglgble probablty for fndng a non-trval lnear combnaton of 1, x,..., x q so we have r = s, a 1 = b 1,..., a q = b q. The exstence of a non-unform probablstc polynomal tme knowledge extractor X A that extract the contents of the knowledge commtment made by a non-unform probablstc polynomal tme commtter A follows drectly from the q-pke assumpton. 4.1 Restrcton Argument Consder a subset S [q] and a commtment c. We wll need an argument for the openng r, a 1,..., a q beng such that the ndces of non-zero values are restrcted to S. In other words, we need an argument for the commtment beng of the form c = g r S ga. The argument wll take the form π = h r S ha, whch ntutvely corresponds to an addtonal argument of knowledge wth respect to a small base (h, {h } S ). Setup: gk G(1 k ) ; ck K commt (gk).

10 Common reference strng: Gven (ck, S) as nput pck at random β Z p and compute the common reference strng as σ = (h, {h } S ) = (g β, {g β } S). Statement: A vald knowledge commtment (c, ĉ). Prover s wtness: Openng r, {a } S so c = g r S ga and ĉ = ĝ r S ĝa. Argument: Compute the argument as π = h r S ha. Verfcaton: Output 1 f and only f e(c, h) = e(g, π). Theorem 2. The restrcton argument s perfectly complete and perfectly wtnessndstngushable. If the q-cpdh assumpton holds, all non-unform probablstc polynomal tme adversares have neglgble probablty of outputtng (r, a 1,..., a q, π) so a 0 for some / S and π s an acceptable restrcton argument for the commtment correspondng to the openng. Observe that we phrase the soundness of the restrcton argument as the nablty to fnd an openng of the commtment that volates the restrcton. Snce the commtment scheme s perfectly hdng we cannot exclude the exstence of openngs that volate the restrcton. However, f t holds that t s a knowledge commtment (Theorem 1) we see that the openng we extract from the commtter must respect the restrcton. Proof. Perfect completeness follows from the fact that an honestly generated proof satsfes π = c β, whch mples that the verfcaton succeeds. Snce g, h are generators of G there s for any commtment c a unque acceptable argument π. Snce all vald wtnesses result n ths unque acceptable argument, we have perfect wtness-ndstngushablty. Remanng s to argue that there s neglgble probablty of producng an openng (r, a 1,..., a q ) of a commtment c together wth an acceptable proof π, where for some / S we have a 0. Assume for contradcton that A s a non-unform probablstc polynomal tme adversary wth ɛ(k) chance of breakng ths noton of soundness. We wll use t to construct a non-unform probablstc polynomal tme algorthm B that breaks the q-cpdh assumpton wth probablty ɛ(k)/q when q = poly(k). Let us pck j [q] \ S at random and gve the q-cpdh challenge (p, G, G T, e, g, g x,..., g xq, g β, g βx,..., g βxj 1, g βxj+1,..., g βxq ) to B. Now B pcks at random α Z p and hands (p, G, G T, e, g, g x,..., g xq, g α, g αx,..., g αxq, g β, {g βx } S ) to A. Ths looks lke a normal commtment key and common reference strng, so wth probablty ɛ(k) the adversary A returns an openng (r, a 1,..., a q ) and an acceptng argument π, wth at least one / S for whch a 0. We chose j at random so there s at least 1/q chance for a j 0. Snce the argument s acceptng we have e(c, h) = e(g, π), whch means e(g r [q] ga x, g β ) = e(g, π). By the blnearty of e ths mples π = g rβ [q] ga βx, whch n turn means g a jβx j = π 1 g rβ [q]\{j} ga βx. Wth a j 0 we get g βxj = (π 1 (g β ) r [q]\{j} (gβx ) a ) 1/a j, whch breaks the q-cpdh challenge. 5 Common Reference Strng We wll now descrbe how to generate the common reference strng for our NIZK argument. The common reference strng wll consst of a knowledge commtment key ck for q = n 2 + 3n 2 values together wth three common reference strngs for restrcton to the sets S = {1, 2,..., n} S = {(n + 1), 2(n + 1),..., n(n + 1)} Ṡ = {l [q] l 0 mod n + 2}.

11 The zero-knowledge smulaton of the argument wll use the same type of common reference strng, and the smulaton trapdoor for our NIZK argument wll be the trapdoor for the knowledge commtment. Common Reference Strng Generaton: On nput 1 k and n do 1. Generate a blnear group (p, G, G T, e) G(1 k ) and set gk = (p, G, G T, e). 2. Pck g G \ {1} ; x, α Z p and compute ck = (gk, g, g 1,..., g q, ĝ, ĝ 1,..., ĝ q ) = (gk, g, g x,..., g xn2 +3n 2, g α, g αx,..., g αxn2 +3n 2). 3. Generate σ K restrct (ck, S) where S = {1, 2,..., n}. 4. Generate σ K restrct (ck, S) where S = {(n + 1), 2(n + 1),..., n(n + 1)}. 5. Generate σ K restrct (ck, Ṡ) where Ṡ = {l [q] l 0 mod n + 2}. The common reference strng s σ = (ck, σ, σ, σ). The smulaton trapdoor s tk = x. Gven a common reference strng, t s hard to fnd a non-trval lnear combnaton of 1, x,..., x q because we could run a polynomal factorzaton algorthm n Z p [X] to compute the root x. Lemma 1. If the q-cpdh assumpton holds for G wth q = n 2 +3n 2, a non-unform probablstc polynomal tme adversary has neglgble chance of fndng a non-trval lnear combnaton (a 0,..., a q ) such that q =0 a x = 0 gven a random common reference strng σ. Proof. Suppose A s a non-unform probablstc polynomal tme algorthm that when gven a common reference strng has ɛ(k) chance of fndng (a 0,..., a q ) such that q =0 a x = 0. We wll construct an adversary B for the q-cpdh assumpton wth success probablty ɛ(k). B on a CPDH-challenge (p, G, G T, e, g,..., g xq, g β, g βx,..., g βxj 1, g βxj+1,..., g βxq ) wll gnore the latter half and use A to compute x gven (p, G, G T, e, g, g 1,..., g n ) = (p, G, G T, e, g, g x,..., g xq ). Once we have x, t s of course easy to compute the soluton to the q-cpdh problem as y = g βxj = (g β ) xj. B pcks at random ˆα, β, β, β Z p and computes a common reference strng as follows ĝ = g ˆα h = g β h = g β ḣ = g β [q] : ĝ = g ˆα S : h = g β S : h = g β Ṡ : ḣ = g β It gves the common reference strng to A and snce t has the same dstrbuton as a real common reference strng there s probablty ɛ(k) for A returnng a non-trval lnear combnaton (a 0,..., a q ) so q =0 a x = 0. Usng a polynomal factorzaton algorthm for Z p [X] we can effcently fnd the up to q roots of the polynomal. It s now easy to try each of them untl we fnd x so g 1 = g x. Verfyng the common reference strng. The common reference strng descrbed above has a partcular mathematcal structure and we do not know of an extracton procedure that can generate t from a publc strng of random bts. However, provded we can verfy that (p, G, G T, e) does descrbe a blnear group, t s also possble to verfy that σ s a well-formed common reference strng. Frst, we check that all group elements n σ are non-trval. Ths demonstrates

12 that the secret exponents x, α, β, β, β are non-zero. Next, we use the parng operaton to verfy the structure of the common reference strng. We check [q] : e(g, g +1 ) = e(g 1, g ) [q] : e(g, ĝ ) = e(ĝ, g ) S : e(g, h ) = e( h, g ) S : e(g, h ) = e( h, g ) Ṡ : e(g, ḣ) = e(ḣ, g ). By verfyng the common reference strng, the prover can be assured that the argument s perfectly wtness-ndstngushable. Ths means that even f the common reference strng s generated by an untrusted source such as the verfer, we get a 2-move arguments wth perfect wtness-ndstngushablty, also known as Zaps [DN00]. The verfer n the frst move sends a common reference strng and the prover then can gve many publcly verfable arguments (second moves) for dfferent statements usng the same common reference strng. 6 Product Argument Consder three commtments c = g r d = g s [n] g a g b j v = g t [n] g u [n] : u = a b. Wth the correspondng restrcton arguments, ĉ, c, ˆd, d, ˆv, ṽ we can assume the commtter knows openngs to values a 1,..., a n, b 1,..., b n and u 1,..., u n. We wll gve an argument (π, ˆπ, π) consstng of three group elements for the commtted values satsfyng u 1 = a 1 b 1,..., u n = a n b n. In order to explan the ntuton n the argument, let us consder the followng toy example c = [n] ga and d = gb j, where we want to show a 1b 1 = 0,..., a n b n = 0. The dscrete logarthms of the two commtments are [n] a x and b jx and the dscrete logarthm of e(c, d) s a x b j x = a b j x + = a b x (n+2) + a b j x +. [n] [n] [n] [n] \{} In the fnal sum, the left term contans the coeffcents a 1 b 1,..., a n b n that are supposed to be 0, however, the rght term complcates matters. The argument π wll be constructed such that t can be used to cancel out the latter term. Notce that the left term solates the coeffcents of x n+2,..., x n(n+2), whle the rght term does not contan any such coeffcents. By gvng an approprate restrcton argument, the prover can guarantee that she only cancels out the rght term wthout nterferng wth the left term contanng x n+2,..., x n(n+2). The prover computes π = [n] \{} ga b j + and gves correspondng ˆπ, π values demonstratng that t knows an openng (z, {z l } l Ṡ ) of π restrcted to Ṡ. The verfer wll check e(c, d) = e(g, π). Let us now argue that we have soundness: gven π, ˆπ, π such that e(c, d) = e(g, π) the verfer can be assured that a 1 b 1 = 0,..., a n b n = 0. Takng dscrete logarthms, the verfcaton equaton tells us that z l x l. a b x (n+2) + a b j x + = z + [n] [n] \{} l Ṡ

13 Recall, Ṡ = {l [n 2 + 3n 2] l 0 mod n + 2} so the argument π wll not contan any coeffcents of the form x n+2,..., x n(n+2). Ths means the coeffcents of x n+2,..., x n(n+2) are a 1 b 1,..., a n b n. If there s an such that a b 0, then we have a non-trval polynomal equaton n x. By Lemma 1 ths would allow us to recover x and breakng the q-pke assumpton. In the general case we want to gve an argument for a b = u nstead of just a b = 0. However, f we evaluate e(v, g ) we can vew the latter as a commtment to (1, 1,..., 1) and we wll get ther products u 1 1,..., u n 1 as coeffcents of x n+2,..., x n(n+2). If u 1 = a 1 b 1,..., u n = a n b n the two parngs e(c, d) and e(v, g ) therefore have the same coeffcents of x n+2,..., x n(n+2) and otherwse the coeffcents are dfferent. As n the toy example above, we may choose π such that t cancels out all the other terms. Due to the restrcton to Ṡ the argument wll not have any x n+2,..., x n(n+2) terms and we therefore get soundness. In the general case, the commtments also have randomzers and we wll choose π such that t also cancels out these terms. We gve the full argument below. Statement: Commtments c, d, v G. Prover s wtness: Openngs r, a 1,..., a n and s, b 1,..., b n and t, u 1,..., u n so c = g r [n] g a and d = g s Argument: Compute the argument (π, ˆπ, π) as π = g rs [n] ˆπ = ĝ rs [n] π = ḣrs [n] Verfcaton: Output 1 f and only f g b j and v = g t g a s ĝ a s ḣ a s [n] g b jr t [n] \{} ĝ b jr t [n] \{} ḣ b jr t [n] \{} g u and [n] : u = a b. g a b j u + ĝ a b j u + ḣ a b j u + e(g, ˆπ) = e(π, ĝ) e(g, π) = e(π, ḣ) e(c, d) = e(v, g )e(g, π). Theorem 3. The product argument has perfect completeness and perfect wtnessndstngushablty. If the q-cpdh assumpton holds, then a non-unform probablstc polynomal tme adversary has neglgble chance of outputtng commtments (c, d, v) and an acceptng argument π wth correspondng openngs of the commtments and the argument such that for some [n] we have a b u. Proof. Straghtforward computaton shows that the argument s perfectly complete. To see that the argument s perfectly wtness-ndstngushable, observe that gven c, d, v there s exactly one acceptable argument π satsfyng the verfcaton equaton. Gven π the other parts ˆπ and π are also determned unquely by the verfcaton equatons because ĝ and ḣ are generators of G. Ths means that any vald openng of c, d, v wth a 1 b 1 = u 1,..., a n b n = u n wll result n the same argument (π, ˆπ, π). We wll now prove that the argument satsfes the soundness condton gven n the theorem. Suppose there s a non-unform probablstc polynomal tme adversary A that has more than

14 neglgble chance of fndng openngs r, a 1,..., a n, s, b 1,..., b n, t, u 1,..., u n and z, {z l } l Ṡ such that c = g r g a d = g s g b j v = g t g u π = g z g z l l, [n] [n] l Ṡ [n] : a b u e(c, d) = e(v, g )e(g, π). Then we have log e(g,g) e(c, d) = (r + a x )(s + b j x ) [n] = rs + s a x + r b j x + a b j x + [n] [n] log e(g,g) e(v, u x )( x ) = t u x + g ) = (t + [n] log e(g,g) e(g, π) = z + l Ṡ z l x zl x + [n] Snce e(c, d) = e(v, g )e(g, π) the dscrete logarthms satsfy rs + s [n] = t a x + r b j x + [n] a b j x + x + u x + + z + [n] l Ṡ Recall that Ṡ does not contan n + 2, 2(n + 2),..., n(n + 2). We therefore see that for all [n] the coeffcents of x (n+2) on each sde of the equalty are respectvely a b and u. If a b u for some [n] ths gves us a non-trval lnear combnaton of 1, x,..., x n2 +3n 2 and by Lemma 1 a breach of the q-cpdh assumpton. The product argument has two commtments wth restrcton to S and one commtment restrcted to S. It s qute easy to translate commtments back and forth between S and S though. If we have two commtments v and d restrcted to respectvely S and S, we can gve a product argument for the values n v beng the product of the values n c = [n] g and d. Snce c s a commtment to (1,..., 1) ths proves that v and d contan the same values. The product argument makes t possble to prove that the commtted values n a commtment c are bts. If we gve a product argument for c contanng the entry-wse product of the values n c and d, where d contans the same values as c, then we have that the values satsfy a = a 2, whch mples a {0, 1}. z l x l. 7 Permutaton Argument Consder two commtments and a permutaton c = g r [n] g a d = g s [n] g b ρ S n [n] : b = a ρ().

15 We wll now gve an argument for the commtted values satsfyng b = a ρ(), where ρ S n s a publcly known permutaton. The dea behnd the permutaton argument s to show [n] a x (n+2) = [n] b x ρ()(n+2). By Lemma 1 ths mples b = a ρ() for all [n]. To get the desred lnear combnaton we compute e(c, g ) and e(d, g ρ(j)(n+2) j). They have dscrete logarthms (r + a x ) x = r x + a x (n+2) + [n] [n] [n] (s + b x ) x ρ(j)(n+2) j = s x ρ(j)(n+2) j + b x ρ()(n+2) + [n] [n] [n] \{} a x + \{} b x ρ(j)(n+2)+ j We have the desred sums [n] a x (n+2) and [n] b x ρ()(n+2) but due to the extra terms t s not the case that e(c, g ) = e(d, g ρ(j)(n+2) j). The prover wll construct an argument π that cancels out the extra terms and the verfer wll check that e(c, g ) = e(d, g ρ(j)(n+2) j )e(g, π). The prover also gves a restrcton argument ˆπ, π such that the verfer s guaranteed that π does not contan any x n+2,..., x n(n+2) terms. Soundness now follows from the verfcaton equaton gvng us [n] a x (n+2) = [n] b x ρ()(n+2) when π s free of x n+2,..., x n(n+2) terms. Statement: Commtments c, d G and permutaton ρ S n. Prover s wtness: Openngs r, a 1,..., a n Z p and s, b 1,..., b n Z p so c = g r [n] g a and d = g s Argument: Compute the argument as π = ˆπ = π = g r g s ρ(j)(n+2) j ĝ r ĝ s ρ(j)(n+2) j ḣ r ḣ s ρ(j)(n+2) j Verfcaton: Output 1 f and only f [n] g b and [n] : b = a ρ(). [n] \{} [n] \{} [n] \{} e(g, ˆπ) = e(π, ĝ) e(g, π) = e(π, ḣ) e(c, g a + g b ρ(j)(n+2)+ j ĝ a +ĝ b ρ(j)(n+2)+ j ḣ a +ḣ b ρ(j)(n+2)+ j g ) = e(d, g ρ(j)(n+2) j )e(g, π).

16 Theorem 4. The permutaton argument has perfect completeness and perfect wtnessndstngushablty. If the q-cpdh assumpton holds, a non-unform probablstc polynomal tme adversary has neglgble chance of outputtng a permutaton ρ, commtments (c, d) and an acceptable argument (π, ˆπ, π) wth correspondng openngs of the commtments and the argument such that for some [n] we have b a ρ(). Proof. Straghtforward computaton shows that the argument has perfect completeness. To see that the argument s perfectly wtness-ndstngushable, observe that gven c, d, ρ there s a unque acceptable argument π satsfyng the verfcaton equaton. Gven π the other parts ˆπ and π are also determned unquely by the verfcaton equatons snce ĝ and ḣ are generators for G. Any wtness n the form of openngs of c and d wth b = a ρ() for all [n] therefore gves the same unque argument (π, ˆπ, π) so we have perfect wtness-ndstngushablty. Consder now a non-unform probablstc polynomal tme adversary A that outputs ρ S n and r, a 1,..., a n, s, b 1,..., b n and z, {z l } l Ṡ such that c = g r g a d = g s g b π = g z g z l l e(c, g ) = e(d, g ρ(j)(n+2) j )e(g, π). [n] [n] l Ṡ Computng the dscrete logarthms of the verfcaton equaton we get log e(g,g) e(c, a x )( x ) = r log e(g,g) e(d, g ) = (r + x + [n] [n] b x )( x ρ(j)(n+2) j ) g ρ(j)(n+2) j ) = (s + [n] = s log e(g,g) e(g, π) = z + l Ṡ x ρ(j)(n+2) j + [n] z l x l b x ρ(j)(n+2)+ j a x + The verfcaton equaton e(c, g ) = e(d, g ρ(j)(n+2) j)e(g, π) therefore gves us r x + [n] = s a x + x ρ(j)(n+2) j + b x ρ(j)(n+2)+ j + z + [n] l Ṡ Recall that Ṡ does not contan n + 2, 2(n + 2),..., n(n + 2). Ths means π does not have any x n+2,..., x n(n+2) terms. Lookng at the term x ρ()(n+2) n the polynomal equaton the coeffcents on each sde of the equalty are respectvely a ρ() and b. Lemma 1 therefore gves us neglgble probablty for b a ρ() for some [n]. 8 Constant Sze NIZK Argument for Crcut Satsfablty We wll now gve an NIZK argument for the satsfablty of a bnary crcut C, whch conssts of a constant number of group elements but has a large common reference strng. Wthout loss of generalty we assume that the crcut conssts of NAND-gates. Let a be the output wre of z l x l.

17 the crcut. By addng an extra self-loopng NAND gate a = (a b) we force a to be true, so we can reduce the satsfablty problem to demonstratng that there s a truth-value assgnment to the wres such that C s nternally consstent wth all the NAND-gates. We now gve the full NIZK argument for crcut satsfablty that was outlned n the ntroducton. Common reference strng: Generate common reference strng σ = (ck, σ, σ, σ) wth n = 2N. Statement: A crcut C wth N NAND-gates, where we want to prove the wres can be assgned values such that the crcut s nternally consstent. Wtness: 2N nput values a 1,..., a N, b 1,..., b N {0, 1} for the N gates that are consstent wth the wres n the crcut and respect the NAND-gates. Defne u 1,..., u N to be values of the output wres and let r 1,..., r N be the remanng values n (a 1,..., a N, b 1,..., b N ) (ether nputs to the crcut or duplcates of NAND-gate output wres appearng multple tmes as nputs to other NAND-gates). Argument: 1. Create restrcted knowledge commtment (c a b, ĉ a b, c a b ) to (a 1,..., a N, b 1,..., b N ). 2. Create restrcted knowledge commtment (d a b, ˆd a b, d a b ) to (a 1,..., a N, b 1,..., b N ). 3. Create restrcted knowledge commtment (c b a, ĉ b a, c b a ) to (b 1,..., b N, a 1,..., a N ). 4. Create restrcted knowledge commtment (c b 0, ĉ b 0, c b 0 ) to (b 1,..., b N, 0,..., 0). 5. Create restrcted knowledge commtment (c u r, ĉ u r, c u r ) to (u 1,..., u N, r 1,..., r N ). 6. Create restrcted knowledge commtment (c u 0, ĉ u 0, c u 0 ) to (u 1,..., u N, 0,..., 0). 7. Show that c a b and d a b contan the same values by gvng a product argument for c a b contanng the entry-wse product of the values n 2N =1 g (a commtment to (1,..., 1, 1,..., 1)) and d a b. 8. Show that a 1,..., a N, b 1,..., b N {0, 1} by gvng a product argument for c a b contanng the entry-wse product of the values n c a b and d a b. 9. Show that the values are nternally consstent wth the wres. The values a 1,..., a l, b j1,..., b jm may for nstance all correspond to the same wre. Pck a permutaton ρ S 2N such that t contans cycles of the form l j 1 + N j 2 + N... j m + N 1 for all sets of values correspondng to the same wre. Gve a permutaton argument for c a b contanng the ρ-permutaton of the values n c a b. For each set correspondng to the same wre, ths shows a 2 = a 1,..., b j1 = a l,..., b jm = b jm 1 so the values must be the same. 10. Gve a permutaton argument for c u r and c a b showng that the outputs values (u 1,..., u n ) are consstent wth the nput values (a 1,..., a N, b 1,..., b N ). (The (r 1,..., r N ) values are the remanng N values n (a 1,..., a N, b 1,..., b N ) that correspond to duplcates of an output wre or nput wres to the crcut.) 11. Gve a permutaton argument for c b a contanng the swap of the values n c a b. 12. Gve a product argument for c b 0 contanng the entry-wse product of the values n c b a and N j=1 g (a commtment to (1,..., 1, 0,..., 0)). 13. Gve a product argument for c u 0 contanng the entry-wse product of the values n c u r and N j=1 g (a commtment to (1,..., 1, 0,..., 0)). 14. Show that the NAND-gates are respected by gvng a product argument for c 1 u 0 N =1 g (a commtment to (1 u 1,..., 1 u N, 0,..., 0)) contanng the entry-wse product of the values n c b 0 and d a b. The argument conssts of the 6 knowledge commtments wth correspondng restrcton arguments, the 5 product arguments and the 3 permutaton arguments gven above. The total sze s 42 group elements.

18 Verfcaton: Accept the argument f and only f the 6 knowledge commtments are well-formed, ther correspondng restrcton arguments are acceptable, the 5 product arguments are acceptable and the 3 permutaton arguments are acceptable. Theorem 5. The NIZK argument for crcut satsfablty s perfectly complete and perfectly zero-knowledge. If the q-pke and q-cpdh assumptons hold wth q = (4N 2 + 6N 2), then the NIZK argument s computatonally sound. Proof. Perfect completeness follows from the perfect completeness of the restrcton, product and permutaton arguments. The zero-knowledge smulator works as follows. The common reference strng s generated correctly, but the smulaton trapdoor x makes t possble to create trapdoor commtments that can be opened to any set of values. Arguments are smulated by creatng trapdoor commtments c a b, d a b, c b a, c b 0, c u r, c u 0. Snce trapdoor commtments are the same as commtments to (0,..., 0, 0,..., 0) we can gve correspondng knowledge and restrcton arguments. By trapdoor openng to a = 1, b = 1, u = 1, r = 1 for all [N] the smulator can gve the frst 7 product and permutaton arguments. By trapdoor openng to a = 1, b = 1, u = 0 for all [N], t can gve the last product argument. Let us now argue ths perfectly smulates a real argument. Consder a hybrd between a real NIZK argument and a smulated NIZK argument, where we make trapdoor commtments but open them to a real wtness (a 1,..., a N, b 1,..., b N ) when makng the product and permutaton arguments. Snce the commtments are perfectly trapdoor the hybrd s perfectly ndstngushable from a real NIZK argument. At the same tme, snce the arguments are perfectly wtness-ndstngushable the hybrd and the smulated NIZK argument are also perfectly ndstngushable. It remans to show that the argument s sound. Consder a non-unform probablstc polynomal tme adversary A that creates a crcut C and an acceptng NIZK argument π. By the q-pke assumpton, ths mples the exstence of a non-unform probablstc polynomal tme extractor X A that runnng on the same nput extracts openngs of the commtments and the arguments. The restrcton arguments gve us that by the q-cpdh assumpton the extracted openngs are restrcted to respectvely S, S and Ṡ. The product and permutaton arguments now gve us by the q-cpdh assumpton that the openngs satsfy the correspondng relatons between the commtted values. By the two frst arguments ths mples the extracted values a 1,..., a N, b 1,..., b N {0, 1}. The thrd argument shows that the values are consstent wth the wres. The fourth argument shows that the output wres (u 1,..., u N ) have the values correspondng to (a 1,..., a N, b 1,..., b N ). The followng four arguments show that for all [N] : 1 u = a b, whch means the values respect the NAND-gates. Snce the values are consstent wth the wres and respect the NAND-gates, the crcut s satsfable. Arthmetc crcuts. It s possble to adjust our NIZK argument to handle arthmetc crcuts consstng of addton and multplcatons gates over Z p. The commtment scheme s homomorphc so f we multply two commtments we get the sum of ther values, whch can be used to handle the addton gates. The multplcaton gates can be handled wth our product arguments.

Similar documents

Homomorphic Trapdoor Commitments to Group Elements

Homomorphic Trapdoor Commitments to Group Elements Homomorphc Trapdoor Commtments to Group Elements Jens Groth Unversty College London j.groth@ucl.ac.uk Abstract We present homomorphc trapdoor commtments to group elements. In contrast, prevous homomorphc

More information

G /G Advanced Cryptography 12/9/2009. Lecture 14

G /G Advanced Cryptography 12/9/2009. Lecture 14 G22.3220-001/G63.2180 Advanced Cryptography 12/9/2009 Lecturer: Yevgeny Dods Lecture 14 Scrbe: Arsteds Tentes In ths lecture we covered the Ideal/Real paradgm and the noton of UC securty. Moreover, we

More information

Lectures - Week 4 Matrix norms, Conditioning, Vector Spaces, Linear Independence, Spanning sets and Basis, Null space and Range of a Matrix

Lectures - Week 4 Matrix norms, Conditioning, Vector Spaces, Linear Independence, Spanning sets and Basis, Null space and Range of a Matrix Lectures - Week 4 Matrx norms, Condtonng, Vector Spaces, Lnear Independence, Spannng sets and Bass, Null space and Range of a Matrx Matrx Norms Now we turn to assocatng a number to each matrx. We could

More information

Finding Primitive Roots Pseudo-Deterministically

Finding Primitive Roots Pseudo-Deterministically Electronc Colloquum on Computatonal Complexty, Report No 207 (205) Fndng Prmtve Roots Pseudo-Determnstcally Ofer Grossman December 22, 205 Abstract Pseudo-determnstc algorthms are randomzed search algorthms

More information

THE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens

THE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens THE CHINESE REMAINDER THEOREM KEITH CONRAD We should thank the Chnese for ther wonderful remander theorem. Glenn Stevens 1. Introducton The Chnese remander theorem says we can unquely solve any par of

More information

Provable Security Signatures

Provable Security Signatures Provable Securty Sgnatures UCL - Louvan-la-Neuve Wednesday, July 10th, 2002 LIENS-CNRS Ecole normale supéreure Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty -

More information

Stanford University CS254: Computational Complexity Notes 7 Luca Trevisan January 29, Notes for Lecture 7

Stanford University CS254: Computational Complexity Notes 7 Luca Trevisan January 29, Notes for Lecture 7 Stanford Unversty CS54: Computatonal Complexty Notes 7 Luca Trevsan January 9, 014 Notes for Lecture 7 1 Approxmate Countng wt an N oracle We complete te proof of te followng result: Teorem 1 For every

More information

Problem Set 9 Solutions

Problem Set 9 Solutions Desgn and Analyss of Algorthms May 4, 2015 Massachusetts Insttute of Technology 6.046J/18.410J Profs. Erk Demane, Srn Devadas, and Nancy Lynch Problem Set 9 Solutons Problem Set 9 Solutons Ths problem

More information

Some Consequences. Example of Extended Euclidean Algorithm. The Fundamental Theorem of Arithmetic, II. Characterizing the GCD and LCM

Some Consequences. Example of Extended Euclidean Algorithm. The Fundamental Theorem of Arithmetic, II. Characterizing the GCD and LCM Example of Extended Eucldean Algorthm Recall that gcd(84, 33) = gcd(33, 18) = gcd(18, 15) = gcd(15, 3) = gcd(3, 0) = 3 We work backwards to wrte 3 as a lnear combnaton of 84 and 33: 3 = 18 15 [Now 3 s

More information

6.842 Randomness and Computation February 18, Lecture 4

6.842 Randomness and Computation February 18, Lecture 4 6.842 Randomness and Computaton February 18, 2014 Lecture 4 Lecturer: Rontt Rubnfeld Scrbe: Amartya Shankha Bswas Topcs 2-Pont Samplng Interactve Proofs Publc cons vs Prvate cons 1 Two Pont Samplng 1.1

More information

Cryptanalysis of pairing-free certificateless authenticated key agreement protocol

Cryptanalysis of pairing-free certificateless authenticated key agreement protocol Cryptanalyss of parng-free certfcateless authentcated key agreement protocol Zhan Zhu Chna Shp Development Desgn Center CSDDC Wuhan Chna Emal: zhuzhan0@gmal.com bstract: Recently He et al. [D. He J. Chen

More information

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00 CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00 No extra materal s allowed durng the exam except for pens and a smple calculator (not smartphones).

More information

Introduction to Algorithms

Introduction to Algorithms Introducton to Algorthms 6.046J/8.40J Lecture 7 Prof. Potr Indyk Data Structures Role of data structures: Encapsulate data Support certan operatons (e.g., INSERT, DELETE, SEARCH) Our focus: effcency of

More information

Notes on Frequency Estimation in Data Streams

Notes on Frequency Estimation in Data Streams Notes on Frequency Estmaton n Data Streams In (one of) the data streamng model(s), the data s a sequence of arrvals a 1, a 2,..., a m of the form a j = (, v) where s the dentty of the tem and belongs to

More information

The Multiple Classical Linear Regression Model (CLRM): Specification and Assumptions. 1. Introduction

The Multiple Classical Linear Regression Model (CLRM): Specification and Assumptions. 1. Introduction ECONOMICS 5* -- NOTE (Summary) ECON 5* -- NOTE The Multple Classcal Lnear Regresson Model (CLRM): Specfcaton and Assumptons. Introducton CLRM stands for the Classcal Lnear Regresson Model. The CLRM s also

More information

College of Computer & Information Science Fall 2009 Northeastern University 20 October 2009

College of Computer & Information Science Fall 2009 Northeastern University 20 October 2009 College of Computer & Informaton Scence Fall 2009 Northeastern Unversty 20 October 2009 CS7880: Algorthmc Power Tools Scrbe: Jan Wen and Laura Poplawsk Lecture Outlne: Prmal-dual schema Network Desgn:

More information

Affine transformations and convexity

Affine transformations and convexity Affne transformatons and convexty The purpose of ths document s to prove some basc propertes of affne transformatons nvolvng convex sets. Here are a few onlne references for background nformaton: http://math.ucr.edu/

More information

Numerical Heat and Mass Transfer

Numerical Heat and Mass Transfer Master degree n Mechancal Engneerng Numercal Heat and Mass Transfer 06-Fnte-Dfference Method (One-dmensonal, steady state heat conducton) Fausto Arpno f.arpno@uncas.t Introducton Why we use models and

More information

Calculation of time complexity (3%)

Calculation of time complexity (3%) Problem 1. (30%) Calculaton of tme complexty (3%) Gven n ctes, usng exhaust search to see every result takes O(n!). Calculaton of tme needed to solve the problem (2%) 40 ctes:40! dfferent tours 40 add

More information

Difference Equations

Difference Equations Dfference Equatons c Jan Vrbk 1 Bascs Suppose a sequence of numbers, say a 0,a 1,a,a 3,... s defned by a certan general relatonshp between, say, three consecutve values of the sequence, e.g. a + +3a +1

More information

FINITELY-GENERATED MODULES OVER A PRINCIPAL IDEAL DOMAIN

FINITELY-GENERATED MODULES OVER A PRINCIPAL IDEAL DOMAIN FINITELY-GENERTED MODULES OVER PRINCIPL IDEL DOMIN EMMNUEL KOWLSKI Throughout ths note, s a prncpal deal doman. We recall the classfcaton theorem: Theorem 1. Let M be a fntely-generated -module. (1) There

More information

Example: (13320, 22140) =? Solution #1: The divisors of are 1, 2, 3, 4, 5, 6, 9, 10, 12, 15, 18, 20, 27, 30, 36, 41,

Example: (13320, 22140) =? Solution #1: The divisors of are 1, 2, 3, 4, 5, 6, 9, 10, 12, 15, 18, 20, 27, 30, 36, 41, The greatest common dvsor of two ntegers a and b (not both zero) s the largest nteger whch s a common factor of both a and b. We denote ths number by gcd(a, b), or smply (a, b) when there s no confuson

More information

3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X

3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X Statstcs 1: Probablty Theory II 37 3 EPECTATION OF SEVERAL RANDOM VARIABLES As n Probablty Theory I, the nterest n most stuatons les not on the actual dstrbuton of a random vector, but rather on a number

More information

APPENDIX A Some Linear Algebra

APPENDIX A Some Linear Algebra APPENDIX A Some Lnear Algebra The collecton of m, n matrces A.1 Matrces a 1,1,..., a 1,n A = a m,1,..., a m,n wth real elements a,j s denoted by R m,n. If n = 1 then A s called a column vector. Smlarly,

More information

Foundations of Arithmetic

Foundations of Arithmetic Foundatons of Arthmetc Notaton We shall denote the sum and product of numbers n the usual notaton as a 2 + a 2 + a 3 + + a = a, a 1 a 2 a 3 a = a The notaton a b means a dvdes b,.e. ac = b where c s an

More information

Lecture 4: Universal Hash Functions/Streaming Cont d

Lecture 4: Universal Hash Functions/Streaming Cont d CSE 5: Desgn and Analyss of Algorthms I Sprng 06 Lecture 4: Unversal Hash Functons/Streamng Cont d Lecturer: Shayan Oves Gharan Aprl 6th Scrbe: Jacob Schreber Dsclamer: These notes have not been subjected

More information

Econ107 Applied Econometrics Topic 3: Classical Model (Studenmund, Chapter 4)

Econ107 Applied Econometrics Topic 3: Classical Model (Studenmund, Chapter 4) I. Classcal Assumptons Econ7 Appled Econometrcs Topc 3: Classcal Model (Studenmund, Chapter 4) We have defned OLS and studed some algebrac propertes of OLS. In ths topc we wll study statstcal propertes

More information

Lecture 5 Decoding Binary BCH Codes

Lecture 5 Decoding Binary BCH Codes Lecture 5 Decodng Bnary BCH Codes In ths class, we wll ntroduce dfferent methods for decodng BCH codes 51 Decodng the [15, 7, 5] 2 -BCH Code Consder the [15, 7, 5] 2 -code C we ntroduced n the last lecture

More information

n α j x j = 0 j=1 has a nontrivial solution. Here A is the n k matrix whose jth column is the vector for all t j=0

n α j x j = 0 j=1 has a nontrivial solution. Here A is the n k matrix whose jth column is the vector for all t j=0 MODULE 2 Topcs: Lnear ndependence, bass and dmenson We have seen that f n a set of vectors one vector s a lnear combnaton of the remanng vectors n the set then the span of the set s unchanged f that vector

More information

Inner Product. Euclidean Space. Orthonormal Basis. Orthogonal

Inner Product. Euclidean Space. Orthonormal Basis. Orthogonal Inner Product Defnton 1 () A Eucldean space s a fnte-dmensonal vector space over the reals R, wth an nner product,. Defnton 2 (Inner Product) An nner product, on a real vector space X s a symmetrc, blnear,

More information

Formulas for the Determinant

Formulas for the Determinant page 224 224 CHAPTER 3 Determnants e t te t e 2t 38 A = e t 2te t e 2t e t te t 2e 2t 39 If 123 A = 345, 456 compute the matrx product A adj(a) What can you conclude about det(a)? For Problems 40 43, use

More information

ANSWERS. Problem 1. and the moment generating function (mgf) by. defined for any real t. Use this to show that E( U) var( U)

ANSWERS. Problem 1. and the moment generating function (mgf) by. defined for any real t. Use this to show that E( U) var( U) Econ 413 Exam 13 H ANSWERS Settet er nndelt 9 deloppgaver, A,B,C, som alle anbefales å telle lkt for å gøre det ltt lettere å stå. Svar er gtt . Unfortunately, there s a prntng error n the hnt of

More information

Errors for Linear Systems

Errors for Linear Systems Errors for Lnear Systems When we solve a lnear system Ax b we often do not know A and b exactly, but have only approxmatons  and ˆb avalable. Then the best thng we can do s to solve ˆx ˆb exactly whch

More information

NP-Completeness : Proofs

NP-Completeness : Proofs NP-Completeness : Proofs Proof Methods A method to show a decson problem Π NP-complete s as follows. (1) Show Π NP. (2) Choose an NP-complete problem Π. (3) Show Π Π. A method to show an optmzaton problem

More information

The Order Relation and Trace Inequalities for. Hermitian Operators

The Order Relation and Trace Inequalities for. Hermitian Operators Internatonal Mathematcal Forum, Vol 3, 08, no, 507-57 HIKARI Ltd, wwwm-hkarcom https://doorg/0988/mf088055 The Order Relaton and Trace Inequaltes for Hermtan Operators Y Huang School of Informaton Scence

More information

Speeding up Computation of Scalar Multiplication in Elliptic Curve Cryptosystem

Speeding up Computation of Scalar Multiplication in Elliptic Curve Cryptosystem H.K. Pathak et. al. / (IJCSE) Internatonal Journal on Computer Scence and Engneerng Speedng up Computaton of Scalar Multplcaton n Ellptc Curve Cryptosystem H. K. Pathak Manju Sangh S.o.S n Computer scence

More information

Lecture Space-Bounded Derandomization

Lecture Space-Bounded Derandomization Notes on Complexty Theory Last updated: October, 2008 Jonathan Katz Lecture Space-Bounded Derandomzaton 1 Space-Bounded Derandomzaton We now dscuss derandomzaton of space-bounded algorthms. Here non-trval

More information

Born and raised distributively: Fully distributed non-interactive adaptively-secure threshold signatures with short shares

Born and raised distributively: Fully distributed non-interactive adaptively-secure threshold signatures with short shares Publshed n Theoretcal Computer Scence, 645: 24, 206 Born and rased dstrbutvely: Fully dstrbuted non-nteractve adaptvely-secure threshold sgnatures wth short shares Benoît Lbert Ecole Normale Supéreure

More information

1 Generating functions, continued

1 Generating functions, continued Generatng functons, contnued. Generatng functons and parttons We can make use of generatng functons to answer some questons a bt more restrctve than we ve done so far: Queston : Fnd a generatng functon

More information

Leakage-Resilient Identification Schemes from Zero-Knowledge Proofs of Storage

Leakage-Resilient Identification Schemes from Zero-Knowledge Proofs of Storage Leakage-Reslent Identfcaton Schemes from Zero-Knowledge Proofs of Storage Guseppe Atenese Sapenza, Unversty of Rome atenese@d.unroma1.t Antono Faono Aarhus Unversty antfa@cs.au.dk Seny Kamara Mcrosoft

More information

arxiv: v1 [cs.cr] 24 Jan 2019

arxiv: v1 [cs.cr] 24 Jan 2019 A Descrpton and Proof of a Generalsed and Optmsed Varant of Wkström s Mxnet Thomas Hanes arxv:90.0837v [cs.cr] 24 Jan 209 Introducton Polyas GmbH In ths paper, we descrbe an optmsed varant of Wkström s

More information

Min Cut, Fast Cut, Polynomial Identities

Min Cut, Fast Cut, Polynomial Identities Randomzed Algorthms, Summer 016 Mn Cut, Fast Cut, Polynomal Identtes Instructor: Thomas Kesselhem and Kurt Mehlhorn 1 Mn Cuts n Graphs Lecture (5 pages) Throughout ths secton, G = (V, E) s a mult-graph.

More information

12 MATH 101A: ALGEBRA I, PART C: MULTILINEAR ALGEBRA. 4. Tensor product

12 MATH 101A: ALGEBRA I, PART C: MULTILINEAR ALGEBRA. 4. Tensor product 12 MATH 101A: ALGEBRA I, PART C: MULTILINEAR ALGEBRA Here s an outlne of what I dd: (1) categorcal defnton (2) constructon (3) lst of basc propertes (4) dstrbutve property (5) rght exactness (6) localzaton

More information

Maximizing the number of nonnegative subsets

Maximizing the number of nonnegative subsets Maxmzng the number of nonnegatve subsets Noga Alon Hao Huang December 1, 213 Abstract Gven a set of n real numbers, f the sum of elements of every subset of sze larger than k s negatve, what s the maxmum

More information

= z 20 z n. (k 20) + 4 z k = 4

= z 20 z n. (k 20) + 4 z k = 4 Problem Set #7 solutons 7.2.. (a Fnd the coeffcent of z k n (z + z 5 + z 6 + z 7 + 5, k 20. We use the known seres expanson ( n+l ( z l l z n below: (z + z 5 + z 6 + z 7 + 5 (z 5 ( + z + z 2 + z + 5 5

More information

Module 9. Lecture 6. Duality in Assignment Problems

Module 9. Lecture 6. Duality in Assignment Problems Module 9 1 Lecture 6 Dualty n Assgnment Problems In ths lecture we attempt to answer few other mportant questons posed n earler lecture for (AP) and see how some of them can be explaned through the concept

More information

a b a In case b 0, a being divisible by b is the same as to say that

a b a In case b 0, a being divisible by b is the same as to say that Secton 6.2 Dvsblty among the ntegers An nteger a ε s dvsble by b ε f there s an nteger c ε such that a = bc. Note that s dvsble by any nteger b, snce = b. On the other hand, a s dvsble by only f a = :

More information

8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS

8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS SECTION 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS 493 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS All the vector spaces you have studed thus far n the text are real vector spaces because the scalars

More information

HMMT February 2016 February 20, 2016

HMMT February 2016 February 20, 2016 HMMT February 016 February 0, 016 Combnatorcs 1. For postve ntegers n, let S n be the set of ntegers x such that n dstnct lnes, no three concurrent, can dvde a plane nto x regons (for example, S = {3,

More information

Lecture 4. Instructor: Haipeng Luo

Lecture 4. Instructor: Haipeng Luo Lecture 4 Instructor: Hapeng Luo In the followng lectures, we focus on the expert problem and study more adaptve algorthms. Although Hedge s proven to be worst-case optmal, one may wonder how well t would

More information

Problem Solving in Math (Math 43900) Fall 2013

Problem Solving in Math (Math 43900) Fall 2013 Problem Solvng n Math (Math 43900) Fall 2013 Week four (September 17) solutons Instructor: Davd Galvn 1. Let a and b be two nteger for whch a b s dvsble by 3. Prove that a 3 b 3 s dvsble by 9. Soluton:

More information

Graph Reconstruction by Permutations

Graph Reconstruction by Permutations Graph Reconstructon by Permutatons Perre Ille and Wllam Kocay* Insttut de Mathémathques de Lumny CNRS UMR 6206 163 avenue de Lumny, Case 907 13288 Marselle Cedex 9, France e-mal: lle@ml.unv-mrs.fr Computer

More information

Assortment Optimization under MNL

Assortment Optimization under MNL Assortment Optmzaton under MNL Haotan Song Aprl 30, 2017 1 Introducton The assortment optmzaton problem ams to fnd the revenue-maxmzng assortment of products to offer when the prces of products are fxed.

More information

U.C. Berkeley CS294: Spectral Methods and Expanders Handout 8 Luca Trevisan February 17, 2016

U.C. Berkeley CS294: Spectral Methods and Expanders Handout 8 Luca Trevisan February 17, 2016 U.C. Berkeley CS94: Spectral Methods and Expanders Handout 8 Luca Trevsan February 7, 06 Lecture 8: Spectral Algorthms Wrap-up In whch we talk about even more generalzatons of Cheeger s nequaltes, and

More information

Introduction to Algorithms

Introduction to Algorithms Introducton to Algorthms 6.046J/18.401J Lecture 7 Prof. Potr Indyk Data Structures Role of data structures: Encapsulate data Support certan operatons (e.g., INSERT, DELETE, SEARCH) What data structures

More information

2E Pattern Recognition Solutions to Introduction to Pattern Recognition, Chapter 2: Bayesian pattern classification

2E Pattern Recognition Solutions to Introduction to Pattern Recognition, Chapter 2: Bayesian pattern classification E395 - Pattern Recognton Solutons to Introducton to Pattern Recognton, Chapter : Bayesan pattern classfcaton Preface Ths document s a soluton manual for selected exercses from Introducton to Pattern Recognton

More information

Attacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction

Attacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction Attacks on RSA The Rabn Cryptosystem Semantc Securty of RSA Cryptology, Tuesday, February 27th, 2007 Nls Andersen Square Roots modulo n Complexty Theoretc Reducton Factorng Algorthms Pollard s p 1 Pollard

More information

A Threshold Digital Signature Issuing Scheme without Secret Communication

A Threshold Digital Signature Issuing Scheme without Secret Communication A Threshold Dgtal Sgnature Issung Scheme wthout Secret Communcaton Kazuo Takarag, Kunhko Myazak, Masash Takahash Systems Development Laboratory, Htach, Ltd e-mal: {takara, kunhko, takahas}@sdlhtachcop

More information

Section 8.3 Polar Form of Complex Numbers

Section 8.3 Polar Form of Complex Numbers 80 Chapter 8 Secton 8 Polar Form of Complex Numbers From prevous classes, you may have encountered magnary numbers the square roots of negatve numbers and, more generally, complex numbers whch are the

More information

Turing Machines (intro)

Turing Machines (intro) CHAPTER 3 The Church-Turng Thess Contents Turng Machnes defntons, examples, Turng-recognzable and Turng-decdable languages Varants of Turng Machne Multtape Turng machnes, non-determnstc Turng Machnes,

More information

Decentralized Multi-Client Functional Encryption for Inner Product

Decentralized Multi-Client Functional Encryption for Inner Product Ths paper s a slght varant of the Extended Abstract that appears n Advances n Cryptology ASIACRYPT 2018 (December 2 6, Brsbane, Australa) Sprnger-Verlag, LNCS?????, pages??????. Decentralzed Mult-Clent

More information

C/CS/Phy191 Problem Set 3 Solutions Out: Oct 1, 2008., where ( 00. ), so the overall state of the system is ) ( ( ( ( 00 ± 11 ), Φ ± = 1

C/CS/Phy191 Problem Set 3 Solutions Out: Oct 1, 2008., where ( 00. ), so the overall state of the system is ) ( ( ( ( 00 ± 11 ), Φ ± = 1 C/CS/Phy9 Problem Set 3 Solutons Out: Oct, 8 Suppose you have two qubts n some arbtrary entangled state ψ You apply the teleportaton protocol to each of the qubts separately What s the resultng state obtaned

More information

5 The Rational Canonical Form

5 The Rational Canonical Form 5 The Ratonal Canoncal Form Here p s a monc rreducble factor of the mnmum polynomal m T and s not necessarly of degree one Let F p denote the feld constructed earler n the course, consstng of all matrces

More information

20. Mon, Oct. 13 What we have done so far corresponds roughly to Chapters 2 & 3 of Lee. Now we turn to Chapter 4. The first idea is connectedness.

20. Mon, Oct. 13 What we have done so far corresponds roughly to Chapters 2 & 3 of Lee. Now we turn to Chapter 4. The first idea is connectedness. 20. Mon, Oct. 13 What we have done so far corresponds roughly to Chapters 2 & 3 of Lee. Now we turn to Chapter 4. The frst dea s connectedness. Essentally, we want to say that a space cannot be decomposed

More information

Kernel Methods and SVMs Extension

Kernel Methods and SVMs Extension Kernel Methods and SVMs Extenson The purpose of ths document s to revew materal covered n Machne Learnng 1 Supervsed Learnng regardng support vector machnes (SVMs). Ths document also provdes a general

More information

DISCRIMINANTS AND RAMIFIED PRIMES. 1. Introduction A prime number p is said to be ramified in a number field K if the prime ideal factorization

DISCRIMINANTS AND RAMIFIED PRIMES. 1. Introduction A prime number p is said to be ramified in a number field K if the prime ideal factorization DISCRIMINANTS AND RAMIFIED PRIMES KEITH CONRAD 1. Introducton A prme number p s sad to be ramfed n a number feld K f the prme deal factorzaton (1.1) (p) = po K = p e 1 1 peg g has some e greater than 1.

More information

The Minimum Universal Cost Flow in an Infeasible Flow Network

The Minimum Universal Cost Flow in an Infeasible Flow Network Journal of Scences, Islamc Republc of Iran 17(2): 175-180 (2006) Unversty of Tehran, ISSN 1016-1104 http://jscencesutacr The Mnmum Unversal Cost Flow n an Infeasble Flow Network H Saleh Fathabad * M Bagheran

More information

Vapnik-Chervonenkis theory

Vapnik-Chervonenkis theory Vapnk-Chervonenks theory Rs Kondor June 13, 2008 For the purposes of ths lecture, we restrct ourselves to the bnary supervsed batch learnng settng. We assume that we have an nput space X, and an unknown

More information

Computationally Private Randomizing Polynomials and Their Applications

Computationally Private Randomizing Polynomials and Their Applications Computatonally Prvate Randomzng Polynomals and Ther Applcatons Benny Applebaum Yuval Isha Eyal Kushlevtz Computer Scence Department, Technon {abenny,yuval,eyalk}@cs.technon.ac.l March 5, 2006 Abstract

More information

2.3 Nilpotent endomorphisms

2.3 Nilpotent endomorphisms s a block dagonal matrx, wth A Mat dm U (C) In fact, we can assume that B = B 1 B k, wth B an ordered bass of U, and that A = [f U ] B, where f U : U U s the restrcton of f to U 40 23 Nlpotent endomorphsms

More information

arxiv: v1 [quant-ph] 6 Sep 2007

arxiv: v1 [quant-ph] 6 Sep 2007 An Explct Constructon of Quantum Expanders Avraham Ben-Aroya Oded Schwartz Amnon Ta-Shma arxv:0709.0911v1 [quant-ph] 6 Sep 2007 Abstract Quantum expanders are a natural generalzaton of classcal expanders.

More information

SL n (F ) Equals its Own Derived Group

SL n (F ) Equals its Own Derived Group Internatonal Journal of Algebra, Vol. 2, 2008, no. 12, 585-594 SL n (F ) Equals ts Own Derved Group Jorge Macel BMCC-The Cty Unversty of New York, CUNY 199 Chambers street, New York, NY 10007, USA macel@cms.nyu.edu

More information

Feature Selection: Part 1

Feature Selection: Part 1 CSE 546: Machne Learnng Lecture 5 Feature Selecton: Part 1 Instructor: Sham Kakade 1 Regresson n the hgh dmensonal settng How do we learn when the number of features d s greater than the sample sze n?

More information

Algebraic partitioning: Fully compact and (almost) tightly secure cryptography

Algebraic partitioning: Fully compact and (almost) tightly secure cryptography Algebrac parttonng: Fully compact and (almost) tghtly secure cryptography Denns Hofhenz October 12, 2015 Abstract We descrbe a new technque for conductng parttonng arguments. Parttonng arguments are a

More information

A Commitment-Consistent Proof of a Shuffle

A Commitment-Consistent Proof of a Shuffle A Commtment-Consstent Proof of a Shuffle Douglas Wkström CSC KTH Stockholm, Sweden dog@csc.kth.se Aprl 2, 2011 Abstract We ntroduce a pre-computaton technque that drastcally reduces the onlne computatonal

More information

Grover s Algorithm + Quantum Zeno Effect + Vaidman

Grover s Algorithm + Quantum Zeno Effect + Vaidman Grover s Algorthm + Quantum Zeno Effect + Vadman CS 294-2 Bomb 10/12/04 Fall 2004 Lecture 11 Grover s algorthm Recall that Grover s algorthm for searchng over a space of sze wors as follows: consder the

More information

arxiv:quant-ph/ Jul 2002

arxiv:quant-ph/ Jul 2002 Lnear optcs mplementaton of general two-photon proectve measurement Andrze Grudka* and Anton Wóck** Faculty of Physcs, Adam Mckewcz Unversty, arxv:quant-ph/ 9 Jul PXOWRZVNDR]QDRODQG Abstract We wll present

More information

Practical and Secure Solutions for Integer Comparison (Extended Abstract)

Practical and Secure Solutions for Integer Comparison (Extended Abstract) Practcal and Secure Solutons for Integer Comparson (Extended Abstract) Juan Garay 1, erry Schoenmakers 2, and José Vllegas 2 1 ell Labs Lucent Technologes, 600 Mountan Ave., Murray Hll, NJ 07974 garay@research.bell-labs.com

More information

Hash functions : MAC / HMAC

Hash functions : MAC / HMAC Hash functons : MAC / HMAC Outlne Message Authentcaton Codes Keyed hash famly Uncondtonally Secure MACs Ref: D Stnson: Cryprography Theory and Practce (3 rd ed), Chap 4. Unversal hash famly Notatons: X

More information

Subset Topological Spaces and Kakutani s Theorem

Subset Topological Spaces and Kakutani s Theorem MOD Natural Neutrosophc Subset Topologcal Spaces and Kakutan s Theorem W. B. Vasantha Kandasamy lanthenral K Florentn Smarandache 1 Copyrght 1 by EuropaNova ASBL and the Authors Ths book can be ordered

More information

A Robust Method for Calculating the Correlation Coefficient

A Robust Method for Calculating the Correlation Coefficient A Robust Method for Calculatng the Correlaton Coeffcent E.B. Nven and C. V. Deutsch Relatonshps between prmary and secondary data are frequently quantfed usng the correlaton coeffcent; however, the tradtonal

More information

(1 ) (1 ) 0 (1 ) (1 ) 0

(1 ) (1 ) 0 (1 ) (1 ) 0 Appendx A Appendx A contans proofs for resubmsson "Contractng Informaton Securty n the Presence of Double oral Hazard" Proof of Lemma 1: Assume that, to the contrary, BS efforts are achevable under a blateral

More information

Notes prepared by Prof Mrs) M.J. Gholba Class M.Sc Part(I) Information Technology

Notes prepared by Prof Mrs) M.J. Gholba Class M.Sc Part(I) Information Technology Inverse transformatons Generaton of random observatons from gven dstrbutons Assume that random numbers,,, are readly avalable, where each tself s a random varable whch s unformly dstrbuted over the range(,).

More information

Practical Functional Encryption for Quadratic Functions with Applications to Predicate Encryption

Practical Functional Encryption for Quadratic Functions with Applications to Predicate Encryption Practcal Functonal Encrypton for Quadratc Functons wth Applcatons to Predcate Encrypton Carmen Elsabetta Zara Baltco 1, Daro Catalano 1, Daro Fore 2, and Roman Gay 3 1 Dpartmento d Matematca e Informatca,

More information

Tightly CCA-Secure Encryption without Pairings

Tightly CCA-Secure Encryption without Pairings Tghtly CCA-Secure Encrypton wthout Parngs Roman Gay 1,, Denns Hofhenz 2,, Eke Kltz 3,, and Hoeteck Wee 1, 1 ENS, Pars, France rgay,wee@d.ens.fr 2 Ruhr-Unverstät Bochum, Bochum, Germany eke.kltz@rub.de

More information

Games of Threats. Elon Kohlberg Abraham Neyman. Working Paper

Games of Threats. Elon Kohlberg Abraham Neyman. Working Paper Games of Threats Elon Kohlberg Abraham Neyman Workng Paper 18-023 Games of Threats Elon Kohlberg Harvard Busness School Abraham Neyman The Hebrew Unversty of Jerusalem Workng Paper 18-023 Copyrght 2017

More information

Cryptanalysis of a Public-key Cryptosystem Using Lattice Basis Reduction Algorithm

Cryptanalysis of a Public-key Cryptosystem Using Lattice Basis Reduction Algorithm www.ijcsi.org 110 Cryptanalyss of a Publc-key Cryptosystem Usng Lattce Bass Reducton Algorthm Roohallah Rastagh 1, Hamd R. Dall Oskoue 2 1,2 Department of Electrcal Engneerng, Aeronautcal Unversty of Snce

More information

Lecture 10 Support Vector Machines II

Lecture 10 Support Vector Machines II Lecture 10 Support Vector Machnes II 22 February 2016 Taylor B. Arnold Yale Statstcs STAT 365/665 1/28 Notes: Problem 3 s posted and due ths upcomng Frday There was an early bug n the fake-test data; fxed

More information

Cryptographic Protocols

Cryptographic Protocols Cryptographc Protocols Entty Authentcaton Key Agreement Fat-Shamr Identfcaton Schemes Zero-Knowledge Proof Systems Shnorr s Identfcaton/Sgnature Scheme Commtment Schemes Secret Sharng Electronc Electon

More information

Week 2. This week, we covered operations on sets and cardinality.

Week 2. This week, we covered operations on sets and cardinality. Week 2 Ths week, we covered operatons on sets and cardnalty. Defnton 0.1 (Correspondence). A correspondence between two sets A and B s a set S contaned n A B = {(a, b) a A, b B}. A correspondence from

More information

Linear Approximation with Regularization and Moving Least Squares

Linear Approximation with Regularization and Moving Least Squares Lnear Approxmaton wth Regularzaton and Movng Least Squares Igor Grešovn May 007 Revson 4.6 (Revson : March 004). 5 4 3 0.5 3 3.5 4 Contents: Lnear Fttng...4. Weghted Least Squares n Functon Approxmaton...

More information

Groth Sahai proofs revisited

Groth Sahai proofs revisited Groth Saha proofs revsted E. Ghadaf, N.P. Smart, and B. Warnsch Dept. Computer Scence, Unversty of Brstol, Merchant Venturers Buldng, Woodland Road, Brstol, BS8 1UB. Unted Kngdom. ghadaf,ngel,bogdan}@cs.brs.ac.uk

More information

Math Review. CptS 223 Advanced Data Structures. Larry Holder School of Electrical Engineering and Computer Science Washington State University

Math Review. CptS 223 Advanced Data Structures. Larry Holder School of Electrical Engineering and Computer Science Washington State University Math Revew CptS 223 dvanced Data Structures Larry Holder School of Electrcal Engneerng and Computer Scence Washngton State Unversty 1 Why do we need math n a data structures course? nalyzng data structures

More information

Module 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

Module 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur Module 3 LOSSY IMAGE COMPRESSION SYSTEMS Verson ECE IIT, Kharagpur Lesson 6 Theory of Quantzaton Verson ECE IIT, Kharagpur Instructonal Objectves At the end of ths lesson, the students should be able to:

More information

Polynomials. 1 More properties of polynomials

Polynomials. 1 More properties of polynomials Polynomals 1 More propertes of polynomals Recall that, for R a commutatve rng wth unty (as wth all rngs n ths course unless otherwse noted), we defne R[x] to be the set of expressons n =0 a x, where a

More information

Edge Isoperimetric Inequalities

Edge Isoperimetric Inequalities November 7, 2005 Ross M. Rchardson Edge Isopermetrc Inequaltes 1 Four Questons Recall that n the last lecture we looked at the problem of sopermetrc nequaltes n the hypercube, Q n. Our noton of boundary

More information

Linear, affine, and convex sets and hulls In the sequel, unless otherwise specified, X will denote a real vector space.

Linear, affine, and convex sets and hulls In the sequel, unless otherwise specified, X will denote a real vector space. Lnear, affne, and convex sets and hulls In the sequel, unless otherwse specfed, X wll denote a real vector space. Lnes and segments. Gven two ponts x, y X, we defne xy = {x + t(y x) : t R} = {(1 t)x +

More information

Case A. P k = Ni ( 2L i k 1 ) + (# big cells) 10d 2 P k.

Case A. P k = Ni ( 2L i k 1 ) + (# big cells) 10d 2 P k. THE CELLULAR METHOD In ths lecture, we ntroduce the cellular method as an approach to ncdence geometry theorems lke the Szemeréd-Trotter theorem. The method was ntroduced n the paper Combnatoral complexty

More information

Constant-Size Structure-Preserving Signatures Generic Constructions and Simple Assumptions

Constant-Size Structure-Preserving Signatures Generic Constructions and Simple Assumptions Constant-Sze Structure-Preservng Sgnatures Generc Constructons and Smple Assumptons Masayuk Abe Melssa Chase Bernardo Davd Markulf Kohlwess Ryo Nshmak Myako Ohkubo NTT Secure Platform Laboratores, NTT

More information

Lecture 2: Gram-Schmidt Vectors and the LLL Algorithm

Lecture 2: Gram-Schmidt Vectors and the LLL Algorithm NYU, Fall 2016 Lattces Mn Course Lecture 2: Gram-Schmdt Vectors and the LLL Algorthm Lecturer: Noah Stephens-Davdowtz 2.1 The Shortest Vector Problem In our last lecture, we consdered short solutons to

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback