A survey on SNARKs Carla R` afols Elliptic Curve Cryptography, - PowerPoint PPT Presentation

A survey on SNARKs Carla R` afols Elliptic Curve Cryptography, Bochum, December 3rd Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

What are ZK Proofs? 2 5 1 9 4 2 6 5 7 1 3 9 8 8 2 3 6 8 5 7 2 9 3 1 4 6 3 6 7 1 3 9 4 6 8 2 7 5 1 6 9 7 1 3 8 5 6 2 4 5 4 1 9 5 4 3 7 2 6 8 1 9 2 7 6 8 2 1 4 9 7 5 3 9 3 8 7 9 4 6 3 2 5 8 1 2 8 4 7 2 6 5 8 1 4 9 3 7 1 9 7 6 3 1 8 9 5 7 4 6 2 x=“Unsolved Sudoku” w=“Solved Sudoku” Proof Accept or Reject Peggy: ( x , w ) Victor: x A process in which a prover probabilistically convinces a verifier of the correctness of a mathematical proposition, and the verifier learns nothing else. Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

What are ZK Proofs? x = CircuitSat = ( There exists w s.t. C ( w ) = 1 ) w x = ( There exist ( p , q ) s.t. N = pq ) w = ( p , q ) x= (I know sk) sk x is true ( x ∈ L ) Accept or Reject Victor: x Peggy: ( x , w ) A process in which a prover probabilistically convinces a verifier of the correctness of a mathematical proposition, and the verifier learns nothing else. Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

Applications Proof that > 18 Movie DB Movie Mixing Anonymous Anonymous in E-voting Credentials Financial Transactions In a dream world zero-knowledge solves all your privacy concerns: keep your data and prove you have played by the rules. Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

Applications: Verifiable Computation � F ( data ) = ?? � y = F ( data ) + proof Check correctness of computation without downloading data. In some applications “Proof”(not Zero-Knowledge) sufficient (the case when sk Peggy = ∅ . ) Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

What is a “good” ZK Proof Performance measured in different parameters. π b ∈ { 0, 1 } Peggy: ( x , w ) Victor: x Expressivity. Prover complexity/ Verifier complexity. Proof size. Weaker/ Stronger Computational assumptions. Need for a trusted Setup. Amount of interaction. Of Knowledge. Private vs Public Verification... Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

What is a “good” ZK Proof Performance measured in different parameters. π b ∈ { 0, 1 } Peggy: ( x , w ) Victor: x Expressivity. Prover complexity/ Verifier complexity. Proof size. Weaker/ Stronger Computational assumptions. With/without Common Reference String. Amount of interaction. Non-interactive. Of Knowledge. Private vs Public Verification... Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

Properties of ZKProofs π b ∈ { 0, 1 } Peggy: ( x , w ) Victor: x Completeness. If Peggy and Victor behave honestly, the proof will be accepted. Soundness. Peggy cannot prove false statements. Zero-Knowledge. Victor learns nothing beyond the truth of the statement. Of Knowledge. Victor is conviced that the prover knows a witness for the statement being true. Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

Formalizing Zero-Knowledge in the CRS model π π b ∈ { 0, 1 } b ∈ { 0, 1 } Peggy: ( CRS , x , w ) Victor: ( CRS , x ) Simulator: ( CRS , x , τ ) Victor: ( CRS , x ) Setting: Common Reference String setting, Non-Interactive. In the (trusted) Setup phase, the common reference string CRS is generated with a trapdoor τ . Real and simulated setting indistinguishable. Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

Expressivity: Specific Statements Until recently “practical ZK”was limited to non NP complete languages. P o s t t a s l Mixing Encryption Digital in E-voting Signatures x = (( g , g a , g b , g c ) is a DH tuple ) w = ( a , b ) x = ( C 1 and C 2 have same plaintext ) w = ( r 1 , r 2 ) Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

Expressivity: General Languages until 2009 CircuitSat naturally encodes computation. It is also the “standard”NP complete problem for ZKProofs. Proof size is always (at least) linear in the witness size. except proofs that use PCP Theorem, non-interactive in the RO ([Kilian92],[Micali00]..) Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

PCP-based proofs: General Proof Strategy (very simplified) Theorem (PCP Theorem) NP = PCP ( O ( 1 ) , O ( log n )) (probabilistically checkable proofs with O ( 1 ) queries and log n randomness). Commit to Π i 1 , . . . , i k π i 1 , . . . , π i k Accept or Reject Victor: x Peggy: ( x , w ) It was not a practical approach, but proofs were succinct . Non-interactive in RO [Micali00]. Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

The Hunting of the (practical) SNARK S uccint N on-Interactive A rguments of K nowledge We have sailed many weeks, we have sailed many days, (Seven days to the week I allow), But a Snark, on the which we might lovingly gaze, We have never beheld till now! L. Carroll Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

ZK Proofs History: The Hunting of the SNARK 1989 – Interactive Proof-Systems [GMR89] (...) – 2010 – Groth. Succinct argument without PCPs ( 42 bilinear group elements) QAPs: ZK friendly characterization of NP, linear CRS [GGPR13] 2013 – Implementation: Pinocchio: Nearly Practical Verifiable Computation” [PGHR13] 2014 – ZeroCash 2016 – Groth. Most efficient zk-SNARK ( 3 bilinear group elements) .... – and so much more... Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

SNARKs: Technical core Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

Overview (not so far from PCPs, after all) Information Theoretic Step. Circuit , � a Rank 1 Constraint Quadratic Arithmetic System Program t ( x ) , { v i ( x ) , w i ( x ) , y i ( x ) } i s.t. L , R , O s.t. � a satisfies circuit ⇔ t ( x ) divides � a satisfies circuit → → ( ∑ i a i v i ( x )) ( ∑ i a i w i ( x )) a ⊤ L ◦ � a ⊤ R = � a ⊤ O � − ∑ i a i y i ( x ) Computational Step. Quadratic Arithmetic Program SNARK t ( x ) , { v i ( x ) , w i ( x ) , y i ( x ) } i Compiler − − − − − − → CRS, π Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

Example a 6 × a 5 a 5 = ( 2 a 2 )( a 3 + a 4 ) × a 6 = ( a 1 + a 2 ) a 5 + × 2 + a 1 a 2 a 3 a 4 Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

Example a 6 × a 5 a 5 = ( 2 a 2 )( a 3 + a 4 ) × a 6 = ( a 1 + a 2 ) a 5 + × 2 + a 1 a 2 a 3 a 4 a 5 a 6 a 5 a 6 a 5 a 6   a 1       0 1 0 0 0 0 a 2   2 1 0 0 0 0         a 3         a = , L = , R = O = � 0 0 1 0 0 0         a 4         0 0 1 0 0 0         a 5         0 0 0 1 1 0       a 6 0 0 0 0 0 1 a ⊤ L ◦ � a ⊤ R = � a ⊤ O ⇐ ⇒ ( 2 a 2 , a 1 + a 2 ) ◦ ( a 3 + a 4 , a 5 ) = ( a 5 , a 6 ) � Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

Example a ⊤ L ◦ � a ⊤ R = � a ⊤ O ⇐ ⇒ ( 2 a 2 , a 1 + a 2 ) ◦ ( a 3 + a 4 , a 5 ) = ( a 5 , a 6 ) �     v 1 ( r 1 ) v 1 ( r 2 ) w 1 ( r 1 ) w 1 ( r 2 ) . . . . . . . . L =  , R =     . . . .    v 6 ( r 1 ) v 6 ( r 2 ) w 6 ( r 1 ) w 6 ( r 2 )   y 1 ( r 1 ) y 1 ( r 2 ) . . O = . .   . .   y 6 ( r 1 ) y 6 ( r 2 ) a ⊤ L ◦ � a ⊤ R = � a ⊤ O ⇐ ⇒ � ( ∑ a i v i ( r 1 ) , ∑ a i v i ( r 2 )) ◦ ( ∑ a i w i ( r 1 ) , ∑ a i w i ( r 2 )) = ( ∑ a i y i ( r 1 ) , ∑ a i y i ( r 2 )) ⇒ ( ∑ a i v i ( X ))( ∑ a i w i ( X )) − ( ∑ a i y i ( X )) is divisible by ( x − r 1 )( x − r 2 ) ⇐ Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

QAP Definition A quadratic arithmetic program consists of some polynomials { v i ( x ) } n i = 0 , { w i ( x ) } n i = 0 , { y i ( x ) } n i = 0 and t ( x ) . A vector � a is accepted by the QAP iff � �� � � � v 0 ( x ) + ∑ a i v i ( X ) w 0 ( x ) + ∑ a i w i ( X ) y 0 ( x ) + ∑ a i y i ( X ) t ( x ) divides − . We have seen how to construct a QAP such that � a is accepted if and only if it satisfies the circuit. Polynomials can be computed from circuit description. Degree of the polynomial: number of gates, number of polynomials: input + gates. Idea for succinctness: check equality at a single evaluation point!! Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

Bilinear map or Pairing Implicit notation: [ a ] i = a P i . Definition G 1 , G 2 , G T cyclic groups of order p where DLOG is hard, P 1 , P 2 generators of G 1 , G 2 respectively, e : G 1 × G 2 → G T is a non-degenerate bilinear map (or pairing) if for all ([ α ] 1 , [ β ] 2 ) ∈ G 1 × G 2 , e ([ α ] 1 , [ β ] 2 ) = e ( P 1 , P 2 ) αβ (Bilinearity) , e ([ α ] 1 , [ β ] 2 ) � = 1 G T (Non-degeneracy) Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd