[PPT] - Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca PowerPoint Presentation

SLIDE 1

Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits

Anca Nitulescu

SLIDE 2

Outline

2

C

Option s for SNARGs

Roadmap and Tools

Definitions Properties Methodology

SNARG

Background

Proof Systems

Motivation History State-of-the-art

Conclusions

Open Questions Security

Framework

Building Blocks New Scheme

Definitions The END Construction

SLIDE 3

SNARK

3 Option s Tale 2

C

Option s for SNARGs

SNARG

Background Security

Definitions The END Construction Verifier Prover

SLIDE 4

4

Verifier

Delegated Computation

Prover computes f(x)=y

Task

SLIDE 5

5

Verifier Prover Claim y=f(x)

Prover claims a statement

SLIDE 6

Corrupted Prover

Verifier does not trust

y ≠ f(x)

6

Verifier

?

? ?

f(x)=y

SLIDE 7

Proof Systems: Non-Interactive Arguments

7

[Mic00] Computationally sound proofs Silvio Micali [Kil92] A note on effj ffjcient zk-proofs and arguments Joe Kilian

SLIDE 8

Non-Interactive Proof Protocol [Mic00]

8

Proof π π Verifier Prover Claim y=f(x) π

ROM

SLIDE 9

Pre-Processing for Efficient Arguments

9

[Mic00] Computationally sound proofs Silvio Micali [Gro10] Short Pairing-based Non-interactive Zero-Knowledge Arguments

J. Groth

[Kil92] A note on effj ffjcient zk-proofs and arguments Joe Kilian [DCL08] Succinct NP proofs from an extractability assumption

G. Di Crescenzo

Helger Lipmaa

crs

SLIDE 10

One round Interaction

10

Verifier Prover π crs crs

SLIDE 11

Strong Assumptions

11

[Mic00] Computationally sound proofs Silvio Micali [Gro10] Short Pairing-based Non-interactive Zero-Knowledge Arguments

J. Groth

[Kil92] A note on effj ffjcient zk-proofs and arguments Joe Kilian [DCL08] Succinct NP proofs from an extractability assumption

G. Di Crescenzo

Helger Lipmaa [GW11] Separating succinct non-interactive arguments from all falsifi fiable assumptions Craig Gentry Daniel Wichs

SLIDE 12

12

S S N N A A R R G G ! !

Succinct Non-interactive ARGument

SLIDE 13

Properties of a SNARG

Succinct Proof

13

Efficient Verification Computational Soundness

SLIDE 14

SNARG: Methodology

14

SNARG under Non-Falsifiable Assumptions Target Statement R(y,w)=1 Computational Model (Representation)

Model crs

Computation y=F(x) PCP: Probabilistically Checkable Proofs ECRH: Extractable Collision-Resistant Hash Boolean Circuit SAT QSP / SSP:

Quadratic / Square Span Programs

PKE: Power Knowledge of Exponent Arithmetic Circuit SAT QAP / SAP:

Q / S Arithmetic Programs

PKE: Power Knowledge of Exponent

SLIDE 15

State-of-the-art

15

[PHGR13] Pinocchio: Nearly practical verifi fiable computation

B. Parno,

J.Howell, C. Gentry,

M. Raykova

[GGPR13] QSP and succinct NIZKs without PCPs

R. Gennaro,
C. Gentry, B. Parno, M.

Raykova N.Bitansky,

A. Chiesa, Y. Ishai, R.

Ostrovsky, O Paneth [BCI+13] SNARGs via linear interactive proofs PKE ECRH

SLIDE 16

Post-Quantum Succinct Arguments

16

[GMNO18] Lattice-based zk-SNARKs from SSP

R. Gennaro,
M. Minelli,

Anca Nitulescu,

M. Orrù

N.Bitansky,

A. Chiesa, Y. Ishai, R.

Ostrovsky, O Paneth [BCI+13] SNARGs via linear interactive proofs

B. Parno,

J.Howell, C. Gentry,

M. Raykova

[PHGR13] Pinocchio: Nearly practical verifi fiable computation [BISW17] Lattice-based SNARGs and their application to more effj ffjcient

bfuscation
D. Boneh, Y. Ishai,
A. Sahai, D.J. Wu

SLIDE 17

Post-Quantum SNARGs

17

SNARG under Post-Quantum Assumptions Target Statement R(y,w)=1 Computational Model (Representation)

SSP

[BISW17]

PCP: Probabilistically Checkable Proofs (Strong) Vector Linear-Only Encryption

[GMNO18]

Boolean Circuit SAT QSP / SSP:

Quadratic / Square Span Programs

PKE on Lattice Encodings Arithmetic Circuit SAT QAP / SAP:

Q / Square Arithmetic Programs

?

SLIDE 18

Post-Quantum Succinct Arguments

18

[GMNO18] Lattice-based zk-SNARKs from SSP

R. Gennaro,
M. Minelli,

Anca Nitulescu,

M. Orrù

N.Bitansky,

A. Chiesa, Y. Ishai, R.

Ostrovsky, O Paneth [BCI+13] SNARGs via linear interactive proofs

B. Parno,

J.Howell, C. Gentry,

M. Raykova

[PHGR13] Pinocchio: Nearly practical verifi fiable computation [BISW17] Lattice-based SNARGs and their application to more effj ffjcient

bfuscation
D. Boneh, Y. Ishai,
A. Sahai, D.J. Wu

[this work] Lattice-based zk-SNARGs from SAP Anca Nitulescu

SLIDE 19

Defining SNARGs

19 Option s Tale 1 Tale 1 Tale 2 Option s

C

Option s

SNARK

Background Security

The END Construction

for SNARGs

Definitions

SLIDE 20

20

Algorithms

SNARG with Preprocessing

SLIDE 21

Corrupted Prover

Correctness and Soundness y ≠ f(x)

Verify π π

21

Verifier

y = f(x)

SLIDE 22

22

SNARG: Succinct Non-Interactive ARGument

SNARG

Succinctness

proof size independent

f NP witness size

Non-Interactivity

no exchange between prover and verifier

ARGument

soundness holds only against computationally bounded provers

SLIDE 23

Zero-Knowledge SNARG

23

zk-SNARG

Succinctness

proof size independent

f NP witness size

Non-Interactivity

no exchange between prover and verifier

Argument

soundness holds only against computationally bounded provers

Zero-Knowledge

does not leak anything about the witness

SLIDE 24

Zero-Knowledge

24

Prover

≃

Simulator

SLIDE 25

25

zk-SNARK

Succinctness

proof size independent

f NP witness size

Non-Interactivity

no exchange between prover and verifier

Argument

soundness holds only against computationally bounded provers

Zero-Knowledge

does not leak anything about the witness

Knowledge Soundness

a witness can be efficiently extracted from the prover

SNARK: Succinct Non-Interactive ARgument of Knowledge

SLIDE 26

computational model PCP SSP SAP assumption strong vector linear-only lattice PKE linear-only proof size 1 vector of ciphertexts 5 ciphertexts 2 ciphertexts zero-knowledge knowledge soundness arithmetic circuit quantum resilient

SNARG comparison

BISW17

Lattice-based SNARG from PCP

GMNO18

Lattice-Based zk-SNARK from SSP

This work

Lattice-Based zk-SNARG from SAP

SLIDE 27

Framework intuition

27 Option s Tale 1 Tale 1 Tale 2 Option s

C

Option s

SNARG

Background Security

The END Construction

for SNARGs

Framework

SNARG

c r s

π

/

SAP

SLIDE 28

28

Verifier

Computation: Circuit SAT

x y

f(x)=y

0/1

NP statement

Claim f(x)=y Prover

SLIDE 29

29

Verifier

NP witness: Too long!

Prover Witness for Circuit SAT

Long

f(x)=y

NP statement

1 x y

SLIDE 30

30

Verifier Prover

Solve equivalent problem instead

x y 0/1

Circuit SAT solution

Polynomial problem Given v(x), t(x). Find P(x) such that

P(x)t(x) = v(x)

SLIDE 31

31

Verifier Prover

Solve equivalent problem instead

Polynomial problem Given v(x), t(x). Find P(x) such that

P(x)t(x) = v(x)

P(x) = Σ pixi

Coefficients of solution P(x)

p0, p1, p2, … pd

SLIDE 32

32

Verifier Prover

Solution as big as witness for Circuit SAT

P(x) = Σ pixi

Coefficients of solution P(x)

p0, p1, p2, … pd Witness for Circuit SAT Not Succinct

SLIDE 33

P(x) = Σ pixi

33

Verifier Prover

Evaluate polynomial in one point s

Coefficients of solution P(x)

p0, p1, p2, … pd

s

SLIDE 34

P(s) = Σ pisi

34

Verifier Prover

Evaluate polynomial in one point s

P(s)

P(x) s

Polynomial problem

P(x)t(x) = v(x) P(s)t(s) = v(s)

SLIDE 35

P’ ≠ P(x)

35

Verifier

The evaluation point should be hidden

P(x) s

Prover P’

SLIDE 36

36

Verifier Prover

The evaluation point should be hidden

P(x)

P’

s

Enc(s)

s

P’ t(s) v(s)

P’ t(s) =

SLIDE 37

P(s) = ?

37

Verifier Prover

Encoding of evaluation point s

P(x)

Enc(s)

SLIDE 38

38

Verifier Prover

Encoding Properties

= Σ pi

Enc(P(s)) Enc(s) Enc(s2) Enc(sd) Enc(si)

Encoding:

linearly homomorphic

SLIDE 39

39

Verifier Prover

Succinct Proof

Enc(P(s)) Enc(s) Enc(s2) Enc(sd)

π

Proof =

C

n

s t a n t s i z e P r

f

SLIDE 40

40

Verifier Prover

Verification

P

t(s)

v(s)

Polynomial problem Given v(x), t(x). Find P(x) such that

P(x)t(x) = v(x)

P

π =

Encoding:

linearly homomorphic
quadratic root detection
image verification

SLIDE 41

41

Security

SLIDE 42

Non-falsifiable Assumption: Linear-Only

42

L-O

Enc(m2) Enc(mn) Enc(M) Enc(m1)

M = m1 + m2+ + md

a1 a2 ad

SLIDE 43

Our SNARG

43 Option s Tale 1 Tale 1 Tale 2 Option s

C

Option s for SNARGs

SNARG

Background Security

Definitions The END Construction

SLIDE 44

44

Polynomial problem

Square Arithmetic Programs

Computational Model For Arithmetic Circuits

SLIDE 45

Arithmetic Circuit Satisfiability Problem

45

a1

a2 a3 a4

a6 f(a1

, a3)= a6

+

+ + + +

a5

statement: a1 , a3 , a6 witness: a2, a4 , a5

SLIDE 46

a1 a2 a3 a4

NEW Representation: Square Arithmetic Program

46

Square Arithmetic Program SAP

a6

+ + +

a5

SAP

SLIDE 47

47

Polynomial problem

Encodings

Lattice-Based Assumptions

SLIDE 48

48

gs

s2 sd

g g

Encodings Instantiations: Discrete Log ?

?

DLog Group

Linearly homomorphic: Quadratic root detection (public)

SLIDE 49

Post-Quantum: Encryption Scheme

49

Epk(s) Epk(s2) Epk(sd)

Quadratic root detection needs sk

E(p(s)) E(h(s))

?

Linearly homomorphic:

Encryption scheme

SLIDE 50

SNARK from SAP

50

Circuit for f(⋅) Proof: Evaluate in a point Verify Verify the proof t(s)h(s)=p(s)

p(s)= V(s)2 -1

? h(s) p(s)

Find h(x)

t(x)h(x)=p(x)

SAP

p(s), h(s)

SLIDE 51

π

51

αs2 αsd = E(αV(s)) A

Proof: Evaluate solution in s

αs

a1 a2 a3 a4

a6

+ + + + +

a5

SLIDE 52

αt(s)s αt(s)s2 αt(s)sd αs2 αsd B

Proof: Division Term A2 = αB

αs = E(αW(s) + αt(s)h(s))

π

52

= E(αV(s)) A

a1 a2 a3 a4

a6

+ + + + +

a5

SLIDE 53

αs2 αsd B

Proof: Linear Span

αs = E(αW(s) + βV(s) + αt(s)h(s))

π

53

= E(αV(s)) A

a1 a2 a3 a4

a6

+ + + + +

a5

βvi(s)

αt(s)s αt(s)s2 αt(s)sd

SLIDE 54

αs2 αsd B

Proof: Same Span for V, W

αs = E(αW(s) + βV(s) + αt(s)h(s))

π

54

= E(αV(s)) A αwi(s) +

βvi(s)

a1 a2 a3 a4

a6

+ + + + +

a5

αt(s)s αt(s)s2 αt(s)sd

SLIDE 55

π

55

SAP: t(x) {vi(x)}i {wi(x)}i

αs2 αsd αwi(s) +

βvi(s)

i =0,m

A B

Protocol

αs = E(αV(s)) = E(αW(s) + βV(s) + αt(s)h(s))

crs

αt(s)s αt(s)s2 αt(s)sd

SLIDE 56

π

56

SAP: t(x) {vi(x)}i {wi(x)}i

αs2 αsd αwi(s) +

βvi(s)

i =0,m

A B

Setup and Proof

αs

crs

A(A+β) = αB

A = E(αV(s)) B = E(αW(s) + βV(s) + αt(s)h(s)) αt(s)s αt(s)s2 αt(s)sd

SLIDE 57

Review of the Protocol (Algorithms)

Prob

crs

57 SNARG

A

π =

A(A+β) = α B

B

SLIDE 58

zk-SNARG

58

SNARG under Post-Quantum Assumptions Target Statement R(y,w)=1 Computational Model (Representation)

SAP

Computation y=F(x) PCP: Probabilistically Checkable Proofs (Strong) Vector Linear-Only Encryption Boolean Circuit SAT QSP / SSP:

Quadratic / Square Span Programs

PKE on Lattice Encodings Arithmetic Circuit SAT SAP:

Square Arithmetic Programs

Linear-Only Encodings

SLIDE 59

59

Encryption: Decryption:

error

Post-Quantum: Lattice-Based Encryption Scheme

E(m1+m2

)

E(m1

)

error error

E(m2

)

error

SLIDE 60

60

Challenge: Adding Zero-Knowledge

✘ randomize polynomials V(x), W(x) to hide witness ✘ add a smudging term to the noise of the encoding → distribution of the final noise independent of the coefficients ✘ vector is statistically indistinguishable from uniformly random from leftover hash lemma

E(αV)=

SLIDE 61

61

Linear-Only Assumption [BISW17]

E(M) E(m1) E(m2) E(md) Linearly-Only L-O

M = m1 + m2+ + md

a1 a2 ad

= E(Σ aimi)

SLIDE 62

62

Extractable Linear-Only Assumption

= E(Σ aimi)

E(M)

a1 a2 ad

E(M) E(αM) E(m1) E(m2) E(md) E(αm1) E(αm2) E(αmd)

Extractable L-O

SLIDE 63

Conclusions

63 Option s Tale 1 Tale 1 Tale 2 Option s

C

Option s for SNARKs

SNARK

Background Security

Framework Construction The END crs

SLIDE 64

Review of Our Result

64

SAP

Linear-only

Enc

2 ciphertexts zero-knowledge designated-verifier

SNARG

Lattice-Based zk-SNARG

a1 a2 a3 a4

a6

+ + + + +

a5

SLIDE 65

Further directions

65

Pre-Processing: (crs: common reference string) ✘ Secret coins ✘ Expensive ✘ Subversion Designated Verifier: ✘ Secret Key sk Subversion-Resistant Protocols ✘ Updatable crs ✘ Verifiable crs Public Verification ?

crs

sk

SLIDE 66

Thank you

www.di.ens.fr/~nitulesc