arya nearly linear time zero knowledge proofs for correct
play

Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program - PowerPoint PPT Presentation

Mar 11, 2024 •12 likes •332 views

Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle, Andrea Cerulli, Jens Groth, Sune Jakobsen, Mary Maller Zero-Knowledge Proofs for Statement Correct Program Execution Witness Prover Verifier

  1. Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle, Andrea Cerulli, Jens Groth, Sune Jakobsen, Mary Maller

  2. Zero-Knowledge Proofs for Statement Correct Program Execution Witness Prover Verifier

  3. Zero-Knowledge Proofs for Statement Correct Program Execution Witness Prover Verifier

  4. Zero-Knowledge Proofs for Statement Correct Program Execution Completeness: An honest prover Prover Verifier convinces the verifier.

  5. Zero-Knowledge Proofs for Statement Correct Program Execution Soundness: A dishonest prover never convinces the verifier. Completeness: An honest prover Prover Verifier Computational guarantee convinces the verifier. -> argument

  6. Zero-Knowledge Proofs for Statement Correct Program Execution Witness Soundness: A dishonest prover never convinces the verifier. Completeness: An honest prover Prover Verifier Computational guarantee convinces the verifier. Zero-knowledge: -> argument Nothing but the truth of the statement is revealed.

  7. Zero-Knowledge Proofs for Statement Correct Program Execution Interaction Prover Verifier Communication Computation Computation Prover Verifier Cryptographic Assumption

  8. Zero-Knowledge Proofs for Correct Program Execution Registers Memory pc r1 r2 r3 … … … … … flag Primary Input instruction1 Random instruction2 Input Tapes Access Instruction3 Auxiliary Input … TinyRAM Program … … TinyRAM Instructions include ADD, MULT, XOR, AND,…

  9. Zero-Knowledge Proofs for Correct Program Execution Registers Memory pc r1 r2 r3 … … … … … flag Primary Input instruction1 Random instruction2 Input Tapes Access Instruction3 Auxiliary Input … TinyRAM Program … … TinyRAM Public Values <-> Statement

  10. Zero-Knowledge Proofs for Correct Program Execution Registers Memory pc r1 r2 r3 … … … … … flag Primary Input instruction1 Random instruction2 Input Tapes Access Instruction3 Auxiliary Input … TinyRAM Program … … TinyRAM Private Values <-> Prover’s Witness

  11. Zero-Knowledge Proofs for Correct Program Execution Goal: Why TinyRAM? Zero-knowledge proof for • Closer to real world statements • Compilers from restricted C to correct TinyRAM execution TinyRAM with low prover overhead

  12. List of Memory Execution Trace Memory Changes Extra Time Information 0 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 1 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 2 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 3 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 … … instruction1 instruction2 T pc r1 r2 r3 … … … … … flag pc r1 r2 r3 Instruction3 TinyRAM … Primary Input Program … Input Tapes Auxiliary Input …

  13. List of Memory Checks Memory Changes Extra Time Information 0 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 1 pc r1 r2 r3 … … … … flag pc r1 r2 r3 2 pc r1 r2 r3 … … … … flag pc r1 r2 r3 3 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 … … instruction1 Memory instruction2 T pc r1 r2 r3 … … … … flag pc r1 r2 r3 Instruction3 TinyRAM Consistency … Primary Input Program … Input Tapes Auxiliary Input …

  14. List of Memory Checks Memory Changes Extra Time Information 0 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 Correct 1 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 2 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 Instruction 3 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 Execution … … instruction1 instruction2 T pc r1 r2 r3 … … … … … flag pc r1 r2 r3 Instruction3 TinyRAM … Primary Input Program … Input Tapes Auxiliary Input …

  15. List of Memory Checks Memory Changes Extra Time Information 0 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 1 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 2 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 3 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 … … instruction1 Word instruction2 T pc r1 r2 r3 … … … … … flag pc r1 r2 r3 Instruction3 TinyRAM … Primary Input Program Decompositions … Input Tapes Auxiliary Input …

  16. Proving Correct Program Execution Sources of Overhead Our Solutions • Large fields and large cyclic • Use hash-based proof system groups over any field • Permutation networks for • Alternative approach to checking checking memory permutations • Large circuits for bitwise • Word decomposition technique operations gives constant-size circuits

  17. � � Results Work Prover Verifier Communication Rounds Assumption Complexity Complexity BCTV14 Ω(𝑈 log 𝑈 ' ) 𝜕(𝑀 + 𝑤 ) 𝜕(1) 1 KoE This LT-CRHF 𝑃(𝛽𝑈) 𝑃(log log 𝑈) 𝑞𝑝𝑚𝑧(𝜇) 𝑈 + 𝑀 + 𝑤 𝑞𝑝𝑚𝑧(𝜇) 𝑈 + 𝑀 Work But what is 𝛽 ? Security 2 78 9:; < Program Length 𝑀 Runtime Bound 𝑈 Public Input 𝑊

  18. Arithmetising TinyRAM Overview TinyRAM Execution Trace Algebraic Constraints Main Polynomials Contributions Prior work: Linear-Time Ideal Protocols Zero-Knowledge Look-Up Zero-Knowledge Proofs Arguments and More Standard Protocols 18

  19. Ideal Linear Commitment Protocols Commit to vectors P V 𝑦 ← C Commit to vectors Send random challenges 𝑧 ← C … … Check linear 𝑨 ← C combinations against Compute linear combinations Linear combinations commitments

  20. Ideal Linear Commitment Protocols Commit to execution trace P V 𝑦 ← C Commit to vectors Send random challenges 𝑧 ← C … … Coefficients of linear 𝑨 ← C combinations embed Compute linear combinations Linear combinations useful conditions

  21. Committing Encode 2 6 6 2 0 2 3 7 2 5 7 3 1 7 4 3 7 2 8 4 8 4 5 7 4 6 8 9 3 5 4 2 8 4 6 7 2 3 4 6 2 1 5 6 3 3 7 4 3 9 8 4 7 2 4 5 2 5 3 9 Prover Hash computes linear combination 5 9 3 2 4

  22. Checking Commitments Encode 2 6 6 2 0 2 3 7 2 5 7 3 1 7 4 3 7 2 8 4 8 4 5 7 4 6 8 9 3 5 4 2 8 4 6 7 2 3 4 6 2 1 5 6 3 3 7 4 3 9 8 4 7 2 4 5 2 5 3 9 Prover Hash computes linear combination Encode 5 9 3 2 4 2 3 7 2 5 7 3 1 7 4 Verifier encodes and spot-checks columns High minimum distance catches cheating

  24. Correct Instruction Execution pc r1 r2 r3 pc r1 r2 r3 … … … … … flag Covers all Transition Circuit TinyRAM Check consistency of instructions values across each pc r1 r2 … … … … flag pc r2 r3 time step Transition Circuit Constant size circuit pc r1 r2 r3 … … … … flag pc r1 r2 r3 Give batch argument that each copy of circuit is satisfied

  25. Word Decomposition Avoid binary circuits when checking bitwise operations on non-binary field elements! 𝑏, 𝑐 ∈ 0,1 𝑏 + 𝑐 = 2 𝑏 ∧ 𝑐 + (𝑏 ⊕ 𝑐)

  26. Word Decomposition Register value Binary Decomposition 𝑏 𝒃 𝟏 𝒃 𝟐 𝒃 𝟑 𝒃 𝟒 … … … … 𝒃 𝑿7𝟑 𝒃 𝑿7𝟐 𝑏 P Odd bits 𝒃 𝟐 𝟏 𝒃 𝟒 𝟏 … … … … 𝒃 𝑿7𝟐 𝟏 𝑏 Q Even bits 𝒃 𝟏 𝟏 𝒃 𝟑 𝟏 … … … … 𝒃 𝑿7𝟑 𝟏 𝑏 = 2𝑏 P + 𝑏 Q

  27. Word Decomposition 𝑏 𝑐 𝒃 𝟏 𝒃 𝟐 𝒃 𝟑 𝒃 𝟒 … … … … 𝒃 𝑿7𝟑 𝒃 𝑿7𝟐 𝒃 𝟏 𝒃 𝟐 𝒃 𝟑 𝒃 𝟒 … … … … 𝒃 𝑿7𝟑 𝒃 𝑿7𝟐 𝑏 P 𝑐 P 𝒃 𝟐 𝟏 𝒃 𝟒 𝟏 … … … … 𝒃 𝑿7𝟐 𝟏 𝒃 𝟐 𝟏 𝒃 𝟒 𝟏 … … … … 𝒃 𝑿7𝟐 𝟏 𝑏 Q 𝑐 Q 𝒃 𝟏 𝟏 𝒃 𝟑 𝟏 … … … … 𝒃 𝑿7𝟑 𝟏 𝒃 𝟏 𝟏 𝒃 𝟑 𝟏 … … … … 𝒃 𝑿7𝟑 𝟏 𝑏 = 2𝑏 P + 𝑏 Q 𝑐 = 2𝑐 P + 𝑐 Q XORs in even bits ANDs in odd bits 𝒃 𝟏 ⊕ 𝒄 𝟏 𝒃 𝟏 ∧ 𝒄 𝟏 𝒃 𝟑 ⊕ 𝒄 𝟑 𝒃 𝟑 ∧ 𝒄 𝟑 … … … … 𝒃 𝑿7𝟑 ⊕ 𝒄 𝑿7𝟑 𝒃 𝑿7𝟑 ∧ 𝒄 𝑿7𝟑 𝑏 Q + 𝑐 Q

  28. Look-up Argument Register Even Odd Decomposition Look-Up Table Value Bits Bits Register Values Even Bits Odd Bits All possible register Use zero-knowledge look-up values argument to show all decompositions correct

  29. Look-up Argument Approach: Values 𝑏 T , 𝑏 ' , … , 𝑏 V lie in table Look-Up Table 𝒄 𝟐 𝑐 T , 𝑐 ' , … , 𝑐 Y already public ó 𝒄 𝟑 1. Commit to 𝑏 T , 𝑏 ' , … , 𝑏 V , 𝑓 T , 𝑓 ' , … , 𝑓 Y 𝒄 𝟒 𝑏 T , 𝑏 ' , … , 𝑏 V ⊂ {𝑐 T , 𝑐 ' , … , 𝑐 Y } … … … 2. Prove in zero-knowledge that ó Verify a ‘square and multiply’ … algorithm in zero-knowledge a b 𝒄 𝒐 V Y a b ∏ = ∏ (𝑦 − 𝑏 ^ ) 𝑦 − 𝑐 for random 𝑦 V Y ∏ = ∏ (𝑌 − 𝑏 ^ ) 𝑌 − 𝑐 ` ` ^_T `_T ^_T `_T for some 𝑓 ` ≥ 0 Think of 𝑛 ≫ 𝑜

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack Ronald Cramer (CWI) Ivan Damgrd (AU) Chaoping Xing (NTU) ChenYuan (NTU) Eprint 2016/681 Integer One-Way Function (iOWF) maps integers to finite

582 views • 32 slides
References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge https://en.wikipedia.org/wiki/Zero-knowledge_proof Protocols Zero Knowledge Proofs: An Illustrated Primer by M. Green. Part I: https://blog.cryptographyengineering.com/2014/11/27/ Jim

389 views • 18 slides
Reminders Homework #3 is out Should cover proofs (including some from today) Due next

Reminders Homework #3 is out Should cover proofs (including some from today) Due next

Reminders Homework #3 is out Should cover proofs (including some from today) Due next Tuesday (September 24) Office hours Wednesday and Thursday Is this Proof Correct? Is this Proof Correct? Is this Proof Correct? CMSC 203:

792 views • 12 slides
Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner TA: Malvin Gattinger October 22, 2014 1 / 27 Introduction Zero-knowledge proofs are proofs that yield nothing beyond the validity of the

415 views • 27 slides
Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive Proofs 2 Interactive Proofs Prover wants to convince verifier that x has some property 2 Interactive Proofs Prover wants to convince verifier

1.9k views • 174 slides
Lab 2 discussion Last Time Debugging Its a science use experiments to refine

Lab 2 discussion Last Time Debugging Its a science use experiments to refine

size= 64 correct= 0 size= 73 correct= 0 Shuying Liang size= 107 correct= 1 size= 107 correct= 0 size= 108 correct= 0 size= 108 correct= 1 Please do not handin a .doc file, a .zip file, a .tar file, size= 111 correct= 1 size=

430 views • 7 slides
Recovery of sparse signals from a mixture of linear samples Arya Mazumdar Soumyabrata Pal

Recovery of sparse signals from a mixture of linear samples Arya Mazumdar Soumyabrata Pal

Recovery of sparse signals from a mixture of linear samples Arya Mazumdar Soumyabrata Pal University of Massachusetts Amherst June 15, 2020 ICML 2020 A relationship between features and labels x : feature and y : label . Consider the tuple (

322 views • 21 slides
Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a property about an element without revealing Lelantus ZCoins Zero-Knowledge protocol Prove that transactions are valid, without revealing

1.37k views • 72 slides
Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien Canard (1) , David Pointcheval (2) and Olivier Sanders (1 , 2) S (1) Orange Labs, Caen, France (2) Ecole Normale Sup erieure, Paris,

556 views • 31 slides
Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge Iftach Haitner, Tel Aviv University December 4, 2011 IP for GNI Part I Interactive Proofs IP for GNI Interactive Vs. Interactive Proofs Definition 1 (

1.51k views • 110 slides
Arya Samaj Principle: 9 th Principle By: Vipashchit Nanda The Ten Principles Formulated by

Arya Samaj Principle: 9 th Principle By: Vipashchit Nanda The Ten Principles Formulated by

Arya Samaj Principle: 9 th Principle By: Vipashchit Nanda The Ten Principles Formulated by Swami Dayanand Saraswati, sets the basic rules and ideas of Arya Samaj. They are equally applicable to all lands, all time and peoples of all

444 views • 10 slides
Micropipetting Doing it the correct way Practice, practice, practice! Why Take the Time to

Micropipetting Doing it the correct way Practice, practice, practice! Why Take the Time to

Micropipetting Doing it the correct way Practice, practice, practice! Why Take the Time to Practice? Micropipetting is the foundation to many future experiments Correct pipetting insures correct volumes which creates a greater chance

544 views • 19 slides
Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos, Geoffroy Couteau 1 /11 Zero-Knowledge Proof prover verifier Complete: if P knows a solution, V accepts Sound: if there is no solution, P

1.25k views • 27 slides
can be done in linear time? Yuri Gurevich Tallinn, April 29, 2014 Agenda 1. What linear time?

can be done in linear time? Yuri Gurevich Tallinn, April 29, 2014 Agenda 1. What linear time?

What, if anything, can be done in linear time? Yuri Gurevich Tallinn, April 29, 2014 Agenda 1. What linear time? Why linear time? 2. Propositional primal infon logic 3. A linear time decision algorithm 4. Extensions with 1. Disjunction 2.

632 views • 48 slides
CORRECT? Introduction Working hypothesis Observations: Hypothesis: Human intelligence

CORRECT? Introduction Working hypothesis Observations: Hypothesis: Human intelligence

The Knowledge Representation Hypothesis (Brian Smith, 1982): IT3706 Knowledge Representation An intelligent systems competence is Rodney Brooks: determined by its knowledge. Knowledge without The knowledge is contained within

405 views • 5 slides
Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs Prover wants to convince verifier that x has some property Interactive Proofs Prover wants to convince verifier that x has some property i.e. x is in

3.29k views • 145 slides
Sparks CH301 WHY IS EVERYTHING SO DIFFERENT? UNIT 3 Day 1 What are we going to learn today?

Sparks CH301 WHY IS EVERYTHING SO DIFFERENT? UNIT 3 Day 1 What are we going to learn today?

Sparks CH301 WHY IS EVERYTHING SO DIFFERENT? UNIT 3 Day 1 What are we going to learn today? Think about why matter is so diverse Attractive and Repulsive Electrostatic Forces Dipole Moment POLL: CLICKER QUESTION Matter is diverse implies

354 views • 20 slides
Logarithmic space Evgenij Thorstensen V18 Evgenij Thorstensen Logarithmic space V18 1 / 18

Logarithmic space Evgenij Thorstensen V18 Evgenij Thorstensen Logarithmic space V18 1 / 18

Logarithmic space Evgenij Thorstensen V18 Evgenij Thorstensen Logarithmic space V18 1 / 18 Journey below Unlike for time, it makes sense to talk about sublinear space. This models computations on input that does not fit in memory. To make

663 views • 19 slides
91.304 Foundations of (Theoretical) Computer Science Chapter 3 Lecture Notes (Section 3.1:

91.304 Foundations of (Theoretical) Computer Science Chapter 3 Lecture Notes (Section 3.1:

91.304 Foundations of (Theoretical) Computer Science Chapter 3 Lecture Notes (Section 3.1: Turing Machines) David Martin dm@cs.uml.edu With some modifications by Prof. Karen Daniels, Fall 2013 This work is licensed under the Creative Commons

575 views • 31 slides
Turing Machines 9-0 Turing Machines Now for a machine model of much greater

Turing Machines 9-0 Turing Machines Now for a machine model of much greater

Griffith University 3130CIT Theory of Computation (Based on slides by Harald Sndergaard of The University of Melbourne) Turing Machines 9-0 Turing Machines Now for a machine model of much greater power. A

322 views • 14 slides
Practicing Between a Rock and a Hard Place: Managing Chronic Pain in the Middle of the Opioid

Practicing Between a Rock and a Hard Place: Managing Chronic Pain in the Middle of the Opioid

Practicing Between a Rock and a Hard Place: Managing Chronic Pain in the Middle of the Opioid Crisis Mary Lynn McPherson, PharmD, MA, MDE, BCPS, CPE Professor, Executive Director Advanced Post-Graduate Education Program Director Online Master

780 views • 74 slides
IEEE 1149.1 JTAG Boundary Scan Standard 1 Motivation Bed-of-nails printed circuit board

IEEE 1149.1 JTAG Boundary Scan Standard 1 Motivation Bed-of-nails printed circuit board

IEEE 1149.1 JTAG Boundary Scan Standard 1 Motivation Bed-of-nails printed circuit board tester gone We put components on both sides of PCB &amp; replaced DIPs with flat packs to reduce inductance Nails would hit components

1.1k views • 64 slides
Smart Policing in Action 2: Findings and Accomplishments from the Smart Policing Initiative (SPI)

Smart Policing in Action 2: Findings and Accomplishments from the Smart Policing Initiative (SPI)

Smart Policing in Action 2: Findings and Accomplishments from the Smart Policing Initiative (SPI) New Haven SPI, Pharr SPI, Chula Vista SPI, and CNA March 4, 2015 This project was supported by Grant No. 2013-DP-BX-K006 awarded by the Bureau of

1.32k views • 49 slides
Policy Showcase 1: Policy Innovations to Maximise Impact 2.30pm 4.30pm Inclusive Business

Policy Showcase 1: Policy Innovations to Maximise Impact 2.30pm 4.30pm Inclusive Business

Policy Showcase 1: Policy Innovations to Maximise Impact 2.30pm 4.30pm Inclusive Business Accreditation Scheme Philippines Table 1, 2 and 3 Social Outcome Fund Version 2.0: Catalysing Impact Investment Malaysia Table 4, 5, 6

274 views • 16 slides

More recommend