Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program - - PowerPoint PPT Presentation

arya nearly linear time zero knowledge proofs for correct
SMART_READER_LITE
LIVE PREVIEW

Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program - - PowerPoint PPT Presentation

Mar 11, 2024 12 likes •335 views

Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle, Andrea Cerulli, Jens Groth, Sune Jakobsen, Mary Maller Zero-Knowledge Proofs for Statement Correct Program Execution Witness Prover Verifier

slide-1
SLIDE 1

Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution

Jonathan Bootle, Andrea Cerulli, Jens Groth, Sune Jakobsen, Mary Maller

slide-2
SLIDE 2

Zero-Knowledge Proofs for Correct Program Execution

Prover Verifier Witness Statement

slide-3
SLIDE 3

Prover Verifier Witness Statement

Zero-Knowledge Proofs for Correct Program Execution

slide-4
SLIDE 4

Prover Verifier Statement

Completeness: An honest prover convinces the verifier.

Zero-Knowledge Proofs for Correct Program Execution

slide-5
SLIDE 5

Soundness: A dishonest prover never convinces the verifier. Computational guarantee

  • > argument

Statement Prover Verifier

Completeness: An honest prover convinces the verifier.

Zero-Knowledge Proofs for Correct Program Execution

slide-6
SLIDE 6

Soundness: A dishonest prover never convinces the verifier. Computational guarantee

  • > argument

Statement

Zero-knowledge: Nothing but the truth of the statement is revealed.

Prover Verifier

Completeness: An honest prover convinces the verifier.

Witness

Zero-Knowledge Proofs for Correct Program Execution

slide-7
SLIDE 7

Prover Verifier

Prover Computation Verifier Computation Communication Cryptographic Assumption

Statement

Interaction

Zero-Knowledge Proofs for Correct Program Execution

slide-8
SLIDE 8

Zero-Knowledge Proofs for Correct Program Execution

TinyRAM

Auxiliary Input Primary Input

Input Tapes

pc r1 r2 r3 … … … … … flag

Registers instruction1 instruction2 Instruction3 … … … TinyRAM Program Memory Random Access

Instructions include ADD, MULT, XOR, AND,…

slide-9
SLIDE 9

Zero-Knowledge Proofs for Correct Program Execution

TinyRAM

Auxiliary Input Primary Input

Input Tapes

pc r1 r2 r3 … … … … … flag

Registers instruction1 instruction2 Instruction3 … … … TinyRAM Program Memory Random Access

Public Values <-> Statement

slide-10
SLIDE 10

Zero-Knowledge Proofs for Correct Program Execution

TinyRAM

Auxiliary Input Primary Input

Input Tapes

pc r1 r2 r3 … … … … … flag

Registers instruction1 instruction2 Instruction3 … … … TinyRAM Program Memory Random Access

Private Values <-> Prover’s Witness

slide-11
SLIDE 11

Why TinyRAM?

  • Closer to real world statements
  • Compilers from restricted C to

TinyRAM

Zero-Knowledge Proofs for Correct Program Execution

Goal: Zero-knowledge proof for correct TinyRAM execution with low prover overhead

slide-12
SLIDE 12

Execution Trace

pc r1 r2 r3 … … … … … flag pc r1 r2 r3 … … … … … flag pc r1 r2 r3 … … … … … flag pc r1 r2 r3 … … … … … flag pc r1 r2 r3 … … … … … flag

Time 1 2 3 … … T Auxiliary Input Primary Input

Input Tapes

instruction1 instruction2 Instruction3 … … … TinyRAM Program Memory List of Memory Changes

pc r1 r2 r3 pc r1 r2 r3 pc r1 r2 r3 pc r1 r2 r3 pc r1 r2 r3

Extra Information

slide-13
SLIDE 13

Checks

pc r1 r2 r3 … … … … … flag pc r1 r2 r3 … … … … flag pc r1 r2 r3 … … … … flag pc r1 r2 r3 … … … … … flag pc r1 r2 r3 … … … … flag

Time 1 2 3 … … T Auxiliary Input Primary Input

Input Tapes

instruction1 instruction2 Instruction3 … … … TinyRAM Program Memory List of Memory Changes

pc r1 r2 r3 pc r1 r2 r3 pc r1 r2 r3 pc r1 r2 r3 pc r1 r2 r3

Extra Information

Memory Consistency

slide-14
SLIDE 14

Checks

pc r1 r2 r3 … … … … … flag pc r1 r2 r3 … … … … … flag pc r1 r2 r3 … … … … … flag pc r1 r2 r3 … … … … … flag pc r1 r2 r3 … … … … … flag

Time 1 2 3 … … T Auxiliary Input Primary Input

Input Tapes

instruction1 instruction2 Instruction3 … … … TinyRAM Program Memory List of Memory Changes

pc r1 r2 r3 pc r1 r2 r3 pc r1 r2 r3 pc r1 r2 r3 pc r1 r2 r3

Extra Information

Correct Instruction Execution

slide-15
SLIDE 15

Checks

pc r1 r2 r3 … … … … … flag pc r1 r2 r3 … … … … … flag pc r1 r2 r3 … … … … … flag pc r1 r2 r3 … … … … … flag pc r1 r2 r3 … … … … … flag

Time 1 2 3 … … T Auxiliary Input Primary Input

Input Tapes

instruction1 instruction2 Instruction3 … … … TinyRAM Program Memory List of Memory Changes

pc r1 r2 r3 pc r1 r2 r3 pc r1 r2 r3 pc r1 r2 r3 pc r1 r2 r3

Extra Information

Word Decompositions

slide-16
SLIDE 16

Proving Correct Program Execution

Sources of Overhead

  • Large fields and large cyclic

groups

  • Permutation networks for

checking memory

  • Large circuits for bitwise
  • perations

Our Solutions

  • Use hash-based proof system
  • ver any field
  • Alternative approach to checking

permutations

  • Word decomposition technique

gives constant-size circuits

slide-17
SLIDE 17

Results

Work Prover Complexity Verifier Complexity Communication Rounds Assumption BCTV14 Ω(𝑈 log 𝑈 ') 𝜕(𝑀 + 𝑤 ) 𝜕(1) 1 KoE This Work 𝑃(𝛽𝑈)

𝑞𝑝𝑚𝑧(𝜇) 𝑈

  • + 𝑀 + 𝑤

𝑞𝑝𝑚𝑧(𝜇) 𝑈

  • + 𝑀

𝑃(log log 𝑈) LT-CRHF

Security 278 9:; < Runtime Bound 𝑈 Program Length 𝑀 Public Input 𝑊

But what is 𝛽?

slide-18
SLIDE 18

Overview

18

TinyRAM Execution Trace Algebraic Constraints Polynomials Ideal Protocols Standard Protocols

Prior work: Linear-Time Zero-Knowledge Proofs

Main Contributions

Arithmetising TinyRAM Zero-Knowledge Look-Up Arguments and More

slide-19
SLIDE 19

Ideal Linear Commitment Protocols

P

𝑦 ← C

V

𝑧 ← C 𝑨 ← C

Check linear combinations against commitments

Linear combinations

Commit to vectors Commit to vectors Compute linear combinations

… …

Send random challenges

slide-20
SLIDE 20

Ideal Linear Commitment Protocols

P

𝑦 ← C

V

𝑧 ← C 𝑨 ← C

Coefficients of linear combinations embed useful conditions

Linear combinations

Commit to execution trace Commit to vectors Compute linear combinations

… …

Send random challenges

slide-21
SLIDE 21

Committing

2 6 6 2 2 3 7 2 5 7 3 1 7 4 3 7 2 8 4 8 4 5 7 4 6 8 9 3 5 4 2 8 4 6 7 2 3 4 6 2 1 5 6 3 3 7 4 3 9 8 4 7 2 4 5 2 5 3 9 Encode Hash Prover computes linear combination 5 9 3 2 4

slide-22
SLIDE 22

Checking Commitments

2 6 6 2 2 3 7 2 5 7 3 1 7 4 3 7 2 8 4 8 4 5 7 4 6 8 9 3 5 4 2 8 4 6 7 2 3 4 6 2 1 5 6 3 3 7 4 3 9 8 4 7 2 4 5 2 5 3 9 Encode Hash Prover computes linear combination 5 9 3 2 4 2 3 7 2 5 7 3 1 7 4 Verifier encodes and spot-checks columns High minimum distance catches cheating Encode

slide-23
SLIDE 23
slide-24
SLIDE 24

Correct Instruction Execution

pc r1 r2 r3 … … … … … flag pc r1 r2 … … … … flag pc r1 r2 r3 … … … … flag pc r1 r2 r3 pc r2 r3 pc r1 r2 r3

Check consistency of values across each time step

Transition Circuit Transition Circuit

Give batch argument that each copy of circuit is satisfied

Covers all TinyRAM instructions Constant size circuit

slide-25
SLIDE 25

Word Decomposition

Avoid binary circuits when checking bitwise operations on non-binary field elements!

𝑏, 𝑐 ∈ 0,1 𝑏 + 𝑐 = 2 𝑏 ∧ 𝑐 + (𝑏 ⊕ 𝑐)

slide-26
SLIDE 26

Word Decomposition

𝒃𝟏 𝒃𝟐 𝒃𝟑 𝒃𝟒 … … … … 𝒃𝑿7𝟑 𝒃𝑿7𝟐

𝑏

Register value Binary Decomposition

𝒃𝟐 𝟏 𝒃𝟒 𝟏 … … … … 𝒃𝑿7𝟐 𝟏

𝑏P

𝒃𝟏 𝟏 𝒃𝟑 𝟏 … … … … 𝒃𝑿7𝟑 𝟏

𝑏Q

Odd bits Even bits

𝑏 = 2𝑏P + 𝑏Q

slide-27
SLIDE 27

Word Decomposition

𝒃𝟏 𝒃𝟐 𝒃𝟑 𝒃𝟒 … … … … 𝒃𝑿7𝟑 𝒃𝑿7𝟐

𝑏

𝒃𝟐 𝟏 𝒃𝟒 𝟏 … … … … 𝒃𝑿7𝟐 𝟏

𝑏P

𝒃𝟏 𝟏 𝒃𝟑 𝟏 … … … … 𝒃𝑿7𝟑 𝟏

𝑏Q 𝑏 = 2𝑏P + 𝑏Q

𝒃𝟏 𝒃𝟐 𝒃𝟑 𝒃𝟒 … … … … 𝒃𝑿7𝟑 𝒃𝑿7𝟐

𝑐

𝒃𝟐 𝟏 𝒃𝟒 𝟏 … … … … 𝒃𝑿7𝟐 𝟏

𝑐P

𝒃𝟏 𝟏 𝒃𝟑 𝟏 … … … … 𝒃𝑿7𝟑 𝟏

𝑐Q 𝑐 = 2𝑐P + 𝑐Q

𝒃𝟏 ⊕ 𝒄𝟏 𝒃𝟏 ∧ 𝒄𝟏 𝒃𝟑 ⊕ 𝒄𝟑 𝒃𝟑 ∧ 𝒄𝟑 … … … … 𝒃𝑿7𝟑 ⊕ 𝒄𝑿7𝟑 𝒃𝑿7𝟑 ∧ 𝒄𝑿7𝟑

𝑏Q + 𝑐Q

XORs in even bits ANDs in odd bits

slide-28
SLIDE 28

Look-up Argument

Register Value Even Bits Odd Bits Register Values Even Bits Odd Bits

Decomposition Look-Up Table

All possible register values

Use zero-knowledge look-up argument to show all decompositions correct

slide-29
SLIDE 29

Look-up Argument

𝒄𝟐 𝒄𝟑 𝒄𝟒 … … … … 𝒄𝒐

Look-Up Table Values 𝑏T, 𝑏', … , 𝑏V lie in table ó 𝑏T, 𝑏', … , 𝑏V ⊂ {𝑐T, 𝑐', … , 𝑐Y} ó ∏ (𝑌 − 𝑏^)

V ^_T

= ∏ 𝑌 − 𝑐

` ab Y `_T

for some 𝑓

` ≥ 0

Think of 𝑛 ≫ 𝑜

Approach:

  • 1. Commit to 𝑏T, 𝑏', … , 𝑏V, 𝑓T, 𝑓', … , 𝑓Y
  • 2. Prove in zero-knowledge that

∏ (𝑦 − 𝑏^)

V ^_T

= ∏ 𝑦 − 𝑐

` ab Y `_T

for random 𝑦

𝑐T, 𝑐', … , 𝑐Y already public Verify a ‘square and multiply’ algorithm in zero-knowledge

slide-30
SLIDE 30

Memory Consistency

1 1 1 Memory Location Current Value Previous Access Time Previous Value Access Time Should be equal First Access Next Access Last Access Should be equal Set equal

One memory location -> Cycle All locations -> permutation

Approach: 𝑏T, 𝑏', … , 𝑏V is a permutation of 𝑐T, 𝑐', … , 𝑐V ó h(𝑌 − 𝑏^)

V ^_T

= h(𝑌 − 𝑐^)

V ^_T

Protocol similar to the look-up argument.

slide-31
SLIDE 31

Summary

  • Nearly-linear proving time
  • Sublinear verification time
  • New word decomposition technique for verifying binary operations
  • ver non-binary fields
  • New look-up argument
slide-32
SLIDE 32

Thanks!

Work Prover Complexity Verifier Complexity Communication Rounds Assumption BCTV14 Ω(𝑈 log 𝑈 ') 𝜕(𝑀 + 𝑤 ) 𝜕(1) 1 KoE This Work 𝑃(𝛽𝑈)

𝑞𝑝𝑚𝑧(𝜇) 𝑈

  • + 𝑀 + 𝑤

𝑞𝑝𝑚𝑧(𝜇) 𝑈

  • + 𝑀

𝑃(log log 𝑈) LT-CRHF

Security 278 9:; < Runtime Bound 𝑈 Program Length 𝑀 Public Input 𝑊