Efficient Zero-Knowledge Arguments For Paillier Cryptosystem

We present an efficient zero-knowledge argument of knowledge system customized for the Paillier cryptosystem. Our system enjoys sublinear proof size, low verification cost, and acceptable proof generation effort, while also supporting batch proof generation/verification. Existing works specialized f...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Gong, Borui, Lau, Wang Fat, Au, Man Ho, Yang, Rupeng, Xue, Haiyang, Li, Lichun
Format: Tagungsbericht
Sprache:eng
Schlagworte:
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 1831
container_issue
container_start_page 1813
container_title
container_volume
creator Gong, Borui
Lau, Wang Fat
Au, Man Ho
Yang, Rupeng
Xue, Haiyang
Li, Lichun
description We present an efficient zero-knowledge argument of knowledge system customized for the Paillier cryptosystem. Our system enjoys sublinear proof size, low verification cost, and acceptable proof generation effort, while also supporting batch proof generation/verification. Existing works specialized for Paillier cryptosystem feature linear proof size and verification time. Using existing sublinear argument systems for generic statements (e.g., zk-SNARK) results in unaffordable proof generation cost since it involves translating the relations to be proven into an inhibitive large Boolean or arithmetic circuit over a prime order field. Our system does not suffer from these limitations.The core of our argument systems is a constraint system defined over the ring of residue classes modulo a composite number, together with novel techniques tailored for arguing binary values in this setting. We then adapt the approach from Bootle et al. (EUROCRYPT 2016) to compile the constraint system into a sublinear argument system. Our constraint system is generic and can be used to express typical relations in Paillier cryptosystems including range proof, correctness proof, relationships between bits of plaintext, relationships of plaintexts among multiple ciphertexts, and more. Our argument supports batch proof generation and verification, with the amortized cost outperforming state-of-the-art protocol specialized for Paillier when the number of Paillier ciphertext is in the order of hundreds.We report an end-to-end prototype and conduct comprehensive experiments across multiple scenarios. Scenario 1 is Paillier with packing. When we pack 25.6K bits into 400 ciphertexts, a proof that all these ciphertexts are correctly computed is 17 times smaller and is 3 times faster to verify compared with the naive implementation: using 25.6K OR-proofs without packing. Furthermore, we can prove additional statements almost for free, e.g., one can prove that the sum of a subset of the witness bits is less than a threshold t. Another scenario is range proof. To prove that each plaintext in 200 Paillier ciphertexts is of size 256 bits, our proof size is 10 times smaller than the state-of-the-art. Our analysis suggests that our system is asymptotically more efficient than existing protocols, and is highly suitable for scenarios involving a large number (more than 100) of Paillier ciphertexts, which is often the case for data analytics applications.
doi_str_mv 10.1109/SP54263.2024.00093
format Conference Proceeding
fullrecord <record><control><sourceid>ieee_RIE</sourceid><recordid>TN_cdi_ieee_primary_10646829</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>10646829</ieee_id><sourcerecordid>10646829</sourcerecordid><originalsourceid>FETCH-LOGICAL-i106t-6a41e691ca527c0d12a4f92094eeb94eb6b971b4b2e8a9f30b2e56a164c14c9c3</originalsourceid><addsrcrecordid>eNotjMFKw0AURUdBsNb-gLjIDyS-NzOZ5IGbEtoqFiyoGzdlMn0pI0lTZiKSvzegm3MPd3GEuEPIEIEe3na5lkZlEqTOAIDUhVhQQaXKQSlUgJdiJlWRpyihuBY3MX4BSFCkZ-Jx1TTeeT4NySeHPn059T8tH46cLMPxu5v-mKz7kOysb1vPIanCeB76OMaBu1tx1dg28uJ_5-JjvXqvntLt6-a5Wm5Tj2CG1FiNbAidzWXh4IDS6oYkkGauJ9SmpgJrXUsuLTUKJsmNRaMdakdOzcX9X9cz8_4cfGfDuJ_a2pSS1C_szEiN</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>Efficient Zero-Knowledge Arguments For Paillier Cryptosystem</title><source>IEEE Electronic Library (IEL)</source><creator>Gong, Borui ; Lau, Wang Fat ; Au, Man Ho ; Yang, Rupeng ; Xue, Haiyang ; Li, Lichun</creator><creatorcontrib>Gong, Borui ; Lau, Wang Fat ; Au, Man Ho ; Yang, Rupeng ; Xue, Haiyang ; Li, Lichun</creatorcontrib><description>We present an efficient zero-knowledge argument of knowledge system customized for the Paillier cryptosystem. Our system enjoys sublinear proof size, low verification cost, and acceptable proof generation effort, while also supporting batch proof generation/verification. Existing works specialized for Paillier cryptosystem feature linear proof size and verification time. Using existing sublinear argument systems for generic statements (e.g., zk-SNARK) results in unaffordable proof generation cost since it involves translating the relations to be proven into an inhibitive large Boolean or arithmetic circuit over a prime order field. Our system does not suffer from these limitations.The core of our argument systems is a constraint system defined over the ring of residue classes modulo a composite number, together with novel techniques tailored for arguing binary values in this setting. We then adapt the approach from Bootle et al. (EUROCRYPT 2016) to compile the constraint system into a sublinear argument system. Our constraint system is generic and can be used to express typical relations in Paillier cryptosystems including range proof, correctness proof, relationships between bits of plaintext, relationships of plaintexts among multiple ciphertexts, and more. Our argument supports batch proof generation and verification, with the amortized cost outperforming state-of-the-art protocol specialized for Paillier when the number of Paillier ciphertext is in the order of hundreds.We report an end-to-end prototype and conduct comprehensive experiments across multiple scenarios. Scenario 1 is Paillier with packing. When we pack 25.6K bits into 400 ciphertexts, a proof that all these ciphertexts are correctly computed is 17 times smaller and is 3 times faster to verify compared with the naive implementation: using 25.6K OR-proofs without packing. Furthermore, we can prove additional statements almost for free, e.g., one can prove that the sum of a subset of the witness bits is less than a threshold t. Another scenario is range proof. To prove that each plaintext in 200 Paillier ciphertexts is of size 256 bits, our proof size is 10 times smaller than the state-of-the-art. Our analysis suggests that our system is asymptotically more efficient than existing protocols, and is highly suitable for scenarios involving a large number (more than 100) of Paillier ciphertexts, which is often the case for data analytics applications.</description><identifier>EISSN: 2375-1207</identifier><identifier>EISBN: 9798350331301</identifier><identifier>DOI: 10.1109/SP54263.2024.00093</identifier><identifier>CODEN: IEEPAD</identifier><language>eng</language><publisher>IEEE</publisher><subject>Costs ; Data analysis ; Knowledge based systems ; Privacy ; Protocols ; Prototypes ; Security</subject><ispartof>2024 IEEE Symposium on Security and Privacy (SP), 2024, p.1813-1831</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/10646829$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,780,784,789,790,796,27925,54758</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/10646829$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Gong, Borui</creatorcontrib><creatorcontrib>Lau, Wang Fat</creatorcontrib><creatorcontrib>Au, Man Ho</creatorcontrib><creatorcontrib>Yang, Rupeng</creatorcontrib><creatorcontrib>Xue, Haiyang</creatorcontrib><creatorcontrib>Li, Lichun</creatorcontrib><title>Efficient Zero-Knowledge Arguments For Paillier Cryptosystem</title><title>2024 IEEE Symposium on Security and Privacy (SP)</title><addtitle>SP</addtitle><description>We present an efficient zero-knowledge argument of knowledge system customized for the Paillier cryptosystem. Our system enjoys sublinear proof size, low verification cost, and acceptable proof generation effort, while also supporting batch proof generation/verification. Existing works specialized for Paillier cryptosystem feature linear proof size and verification time. Using existing sublinear argument systems for generic statements (e.g., zk-SNARK) results in unaffordable proof generation cost since it involves translating the relations to be proven into an inhibitive large Boolean or arithmetic circuit over a prime order field. Our system does not suffer from these limitations.The core of our argument systems is a constraint system defined over the ring of residue classes modulo a composite number, together with novel techniques tailored for arguing binary values in this setting. We then adapt the approach from Bootle et al. (EUROCRYPT 2016) to compile the constraint system into a sublinear argument system. Our constraint system is generic and can be used to express typical relations in Paillier cryptosystems including range proof, correctness proof, relationships between bits of plaintext, relationships of plaintexts among multiple ciphertexts, and more. Our argument supports batch proof generation and verification, with the amortized cost outperforming state-of-the-art protocol specialized for Paillier when the number of Paillier ciphertext is in the order of hundreds.We report an end-to-end prototype and conduct comprehensive experiments across multiple scenarios. Scenario 1 is Paillier with packing. When we pack 25.6K bits into 400 ciphertexts, a proof that all these ciphertexts are correctly computed is 17 times smaller and is 3 times faster to verify compared with the naive implementation: using 25.6K OR-proofs without packing. Furthermore, we can prove additional statements almost for free, e.g., one can prove that the sum of a subset of the witness bits is less than a threshold t. Another scenario is range proof. To prove that each plaintext in 200 Paillier ciphertexts is of size 256 bits, our proof size is 10 times smaller than the state-of-the-art. Our analysis suggests that our system is asymptotically more efficient than existing protocols, and is highly suitable for scenarios involving a large number (more than 100) of Paillier ciphertexts, which is often the case for data analytics applications.</description><subject>Costs</subject><subject>Data analysis</subject><subject>Knowledge based systems</subject><subject>Privacy</subject><subject>Protocols</subject><subject>Prototypes</subject><subject>Security</subject><issn>2375-1207</issn><isbn>9798350331301</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2024</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><sourceid>RIE</sourceid><recordid>eNotjMFKw0AURUdBsNb-gLjIDyS-NzOZ5IGbEtoqFiyoGzdlMn0pI0lTZiKSvzegm3MPd3GEuEPIEIEe3na5lkZlEqTOAIDUhVhQQaXKQSlUgJdiJlWRpyihuBY3MX4BSFCkZ-Jx1TTeeT4NySeHPn059T8tH46cLMPxu5v-mKz7kOysb1vPIanCeB76OMaBu1tx1dg28uJ_5-JjvXqvntLt6-a5Wm5Tj2CG1FiNbAidzWXh4IDS6oYkkGauJ9SmpgJrXUsuLTUKJsmNRaMdakdOzcX9X9cz8_4cfGfDuJ_a2pSS1C_szEiN</recordid><startdate>20240519</startdate><enddate>20240519</enddate><creator>Gong, Borui</creator><creator>Lau, Wang Fat</creator><creator>Au, Man Ho</creator><creator>Yang, Rupeng</creator><creator>Xue, Haiyang</creator><creator>Li, Lichun</creator><general>IEEE</general><scope>6IE</scope><scope>6IH</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIO</scope></search><sort><creationdate>20240519</creationdate><title>Efficient Zero-Knowledge Arguments For Paillier Cryptosystem</title><author>Gong, Borui ; Lau, Wang Fat ; Au, Man Ho ; Yang, Rupeng ; Xue, Haiyang ; Li, Lichun</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i106t-6a41e691ca527c0d12a4f92094eeb94eb6b971b4b2e8a9f30b2e56a164c14c9c3</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Costs</topic><topic>Data analysis</topic><topic>Knowledge based systems</topic><topic>Privacy</topic><topic>Protocols</topic><topic>Prototypes</topic><topic>Security</topic><toplevel>online_resources</toplevel><creatorcontrib>Gong, Borui</creatorcontrib><creatorcontrib>Lau, Wang Fat</creatorcontrib><creatorcontrib>Au, Man Ho</creatorcontrib><creatorcontrib>Yang, Rupeng</creatorcontrib><creatorcontrib>Xue, Haiyang</creatorcontrib><creatorcontrib>Li, Lichun</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan (POP) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP) 1998-present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Gong, Borui</au><au>Lau, Wang Fat</au><au>Au, Man Ho</au><au>Yang, Rupeng</au><au>Xue, Haiyang</au><au>Li, Lichun</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>Efficient Zero-Knowledge Arguments For Paillier Cryptosystem</atitle><btitle>2024 IEEE Symposium on Security and Privacy (SP)</btitle><stitle>SP</stitle><date>2024-05-19</date><risdate>2024</risdate><spage>1813</spage><epage>1831</epage><pages>1813-1831</pages><eissn>2375-1207</eissn><eisbn>9798350331301</eisbn><coden>IEEPAD</coden><abstract>We present an efficient zero-knowledge argument of knowledge system customized for the Paillier cryptosystem. Our system enjoys sublinear proof size, low verification cost, and acceptable proof generation effort, while also supporting batch proof generation/verification. Existing works specialized for Paillier cryptosystem feature linear proof size and verification time. Using existing sublinear argument systems for generic statements (e.g., zk-SNARK) results in unaffordable proof generation cost since it involves translating the relations to be proven into an inhibitive large Boolean or arithmetic circuit over a prime order field. Our system does not suffer from these limitations.The core of our argument systems is a constraint system defined over the ring of residue classes modulo a composite number, together with novel techniques tailored for arguing binary values in this setting. We then adapt the approach from Bootle et al. (EUROCRYPT 2016) to compile the constraint system into a sublinear argument system. Our constraint system is generic and can be used to express typical relations in Paillier cryptosystems including range proof, correctness proof, relationships between bits of plaintext, relationships of plaintexts among multiple ciphertexts, and more. Our argument supports batch proof generation and verification, with the amortized cost outperforming state-of-the-art protocol specialized for Paillier when the number of Paillier ciphertext is in the order of hundreds.We report an end-to-end prototype and conduct comprehensive experiments across multiple scenarios. Scenario 1 is Paillier with packing. When we pack 25.6K bits into 400 ciphertexts, a proof that all these ciphertexts are correctly computed is 17 times smaller and is 3 times faster to verify compared with the naive implementation: using 25.6K OR-proofs without packing. Furthermore, we can prove additional statements almost for free, e.g., one can prove that the sum of a subset of the witness bits is less than a threshold t. Another scenario is range proof. To prove that each plaintext in 200 Paillier ciphertexts is of size 256 bits, our proof size is 10 times smaller than the state-of-the-art. Our analysis suggests that our system is asymptotically more efficient than existing protocols, and is highly suitable for scenarios involving a large number (more than 100) of Paillier ciphertexts, which is often the case for data analytics applications.</abstract><pub>IEEE</pub><doi>10.1109/SP54263.2024.00093</doi><tpages>19</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier EISSN: 2375-1207
ispartof 2024 IEEE Symposium on Security and Privacy (SP), 2024, p.1813-1831
issn 2375-1207
language eng
recordid cdi_ieee_primary_10646829
source IEEE Electronic Library (IEL)
subjects Costs
Data analysis
Knowledge based systems
Privacy
Protocols
Prototypes
Security
title Efficient Zero-Knowledge Arguments For Paillier Cryptosystem
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-04T17%3A01%3A29IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=Efficient%20Zero-Knowledge%20Arguments%20For%20Paillier%20Cryptosystem&rft.btitle=2024%20IEEE%20Symposium%20on%20Security%20and%20Privacy%20(SP)&rft.au=Gong,%20Borui&rft.date=2024-05-19&rft.spage=1813&rft.epage=1831&rft.pages=1813-1831&rft.eissn=2375-1207&rft.coden=IEEPAD&rft_id=info:doi/10.1109/SP54263.2024.00093&rft_dat=%3Cieee_RIE%3E10646829%3C/ieee_RIE%3E%3Curl%3E%3C/url%3E&rft.eisbn=9798350331301&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=10646829&rfr_iscdi=true