lattice based zero knowledge snargs for arithmetic
play

Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca - PowerPoint PPT Presentation

Sep 06, 2023 •356 likes •1.03k views

Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu Outline C The SNARG Definitions Construction END Background Option for SNARGs Security s Proof Systems Roadmap and Tools Framework Conclusions Motivation

  1. Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu

  2. Outline C The SNARG Definitions Construction END Background Option for SNARGs Security s Proof Systems Roadmap and Tools Framework Conclusions Motivation Definitions Building Blocks Open New Scheme History Properties Questions State-of-the-art Methodology 2

  3. SNARK C The SNARG Definitions Construction END Background Option Option for SNARGs Security Tale 2 s s Prover Verifier 3

  4. Delegated Computation Task computes f(x)= y Prover Verifier 4

  5. Prover claims a statement Claim y =f(x) Prover Verifier 5

  6. Verifier does not trust ? ? ? y ≠ f(x) f(x)= y Corrupted Verifier Prover 6

  7. Proof Systems: Non-Interactive Arguments [Mic00] Computationally sound proofs Joe Kilian Silvio Micali [Kil92] A note on effj ffjcient zk-proofs and arguments 7

  8. Non-Interactive Proof Protocol [Mic00] π Claim y =f(x) ROM Proof π π Prover Verifier 8

  9. Pre-Processing for Efficient Arguments crs [Mic00] Computationally sound proofs G. Di Crescenzo J. Groth Joe Kilian Helger Lipmaa Silvio Micali [Kil92] [DCL08] A note on effj ffjcient Succinct NP proofs from an zk-proofs and extractability assumption arguments [Gro10] Short Pairing-based Non-interactive Zero-Knowledge Arguments 9

  10. One round Interaction crs crs Prover π Verifier 10

  11. Strong Assumptions [GW11] Separating succinct [Mic00] non-interactive Computationally arguments from all sound proofs falsifi fiable assumptions G. Di Crescenzo J. Groth Joe Kilian Helger Lipmaa Silvio Micali Craig Gentry Daniel Wichs [Kil92] [DCL08] A note on effj ffjcient Succinct NP proofs from an zk-proofs and extractability assumption arguments [Gro10] Short Pairing-based Non-interactive Zero-Knowledge Arguments 11

  12. S uccinct N on-interactive ARG ument ! ! G G R R A A N N S S 12

  13. Properties of a SNARG Computational Succinct Efficient Soundness Proof Verification 13

  14. SNARG: Methodology Model crs SNARG Computational Model Target Statement under (Representation) R(y,w)=1 Non-Falsifiable Assumptions Computation y=F(x) PCP: Probabilistically Checkable Proofs ECRH: Extractable Collision-Resistant Hash QSP / SSP: Boolean Circuit SAT PKE: Power Knowledge of Exponent Quadratic / Square Span Programs QAP / SAP: Arithmetic Circuit SAT PKE: Power Knowledge of Exponent Q / S Arithmetic Programs 14

  15. State-of-the-art ECRH PKE [BCI+13] SNARGs via linear interactive proofs B. Parno, R. Gennaro, J.Howell, C. Gentry, C. Gentry, B. Parno, M. M. Raykova Raykova N.Bitansky, A. Chiesa, Y. Ishai, R. Ostrovsky, O Paneth [GGPR13] QSP and succinct NIZKs without PCPs [PHGR13] Pinocchio: Nearly practical verifi fiable computation 15

  16. Post-Quantum Succinct Arguments [GMNO18] [BCI+13] Lattice-based SNARGs via linear zk-SNARKs from SSP interactive proofs B. Parno, D. Boneh, Y. Ishai, J.Howell, C. Gentry, A. Sahai, D.J. Wu M. Raykova N.Bitansky, R. Gennaro, A. Chiesa, Y. Ishai, R. M. Minelli, Ostrovsky, O Paneth Anca Nitulescu, M. Orrù [BISW17] [PHGR13] Lattice-based SNARGs and their Pinocchio: Nearly practical verifi fiable application to more effj ffjcient computation obfuscation 16

  17. Post-Quantum SNARGs SSP SNARG Computational Model Target Statement under (Representation) R(y,w)=1 Post-Quantum Assumptions [BISW17] PCP: Probabilistically Checkable Proofs (Strong) Vector Linear-Only Encryption [GMNO18] QSP / SSP: PKE on Lattice Encodings Quadratic / Square Span Programs Boolean Circuit SAT ? QAP / SAP: Arithmetic Circuit SAT Q / Square Arithmetic Programs 17

  18. Post-Quantum Succinct Arguments [this work] Lattice-based [GMNO18] [BCI+13] zk-SNARGs Lattice-based SNARGs via linear from SAP zk-SNARKs from SSP interactive proofs B. Parno, D. Boneh, Y. Ishai, J.Howell, C. Gentry, A. Sahai, D.J. Wu M. Raykova N.Bitansky, Anca Nitulescu R. Gennaro, A. Chiesa, Y. Ishai, R. M. Minelli, Ostrovsky, O Paneth Anca Nitulescu, M. Orrù [BISW17] [PHGR13] Lattice-based SNARGs and their Pinocchio: Nearly practical verifi fiable application to more effj ffjcient computation obfuscation 18

  19. Defining SNARGs C The SNARK Definitions Construction END Background Option Option Option for SNARGs Security Tale 1 Tale 1 Tale 2 s s s 19

  20. SNARG with Preprocessing Algorithms 20

  21. Correctness and Soundness y ≠ f(x) y = f(x) Verify π π Corrupted Verifier Prover 21

  22. SNARG : S uccinct N on-Interactive AR Gument Succinctness proof size independent of NP witness size Non-Interactivity SNARG no exchange between prover and verifier ARGument soundness holds only against computationally bounded provers 22

  23. Zero-Knowledge SNARG Succinctness proof size independent of NP witness size Non-Interactivity zk-SNARG no exchange between prover and verifier Zero-Knowledge does not leak anything about the witness Argument soundness holds only against computationally bounded provers 23

  24. Zero-Knowledge Prover Simulator ≃ 24

  25. SNARK : S uccinct N on-Interactive AR gument of K nowledge Succinctness Knowledge Soundness proof size independent a witness can be efficiently of NP witness size extracted from the prover Non-Interactivity zk-SNARK no exchange between prover and verifier Zero-Knowledge does not leak anything about the witness Argument soundness holds only against computationally bounded provers 25

  26. SNARG BISW17 GM N O18 This work comparison Lattice-based Lattice-Based Lattice-Based SNARG zk-SNARK zk-SNARG from PCP from SSP from SAP computational model PCP SSP SAP assumption strong vector linear-only lattice PKE linear-only 1 vector of ciphertexts 5 ciphertexts 2 ciphertexts proof size zero-knowledge knowledge soundness arithmetic circuit quantum resilient

  27. Framework intuition C The SNARG Framework Construction END Background Option Option Option for SNARGs Security Tale 1 Tale 1 Tale 2 s s s s r c SAP SNARG π / 27

  28. Computation: Circuit SAT x y NP statement f(x)= y 0/1 Claim f(x)= y Prover Verifier 28

  29. NP witness: Too long! x y NP statement f(x)= y 1 Witness for Circuit SAT Long Prover Verifier 29

  30. Solve equivalent problem instead x y Polynomial problem Given v(x), t(x) . Circuit SAT Find P(x) such that solution P(x) t(x) = v(x) 0/1 Prover Verifier 30

  31. Solve equivalent problem instead Polynomial problem Given v(x), t(x) . Find P(x) such that P(x) = Σ p i x i P(x) t(x) = v(x) Coefficients of solution P(x) p 0 , p 1 , p 2 , … p d Prover Verifier 31

  32. Solution as big as witness for Circuit SAT Not Succinct P(x) = Σ p i x i Witness for Circuit SAT Coefficients of solution P(x) p 0 , p 1 , p 2 , … p d Prover Verifier 32

  33. Evaluate polynomial in one point s s P(x) = Σ p i x i Coefficients of solution P(x) p 0 , p 1 , p 2 , … p d Prover Verifier 33

  34. Evaluate polynomial in one point s Polynomial problem s P( s ) = Σ p i s i P(x) t(x) = v(x) P(s) t(s) = v(s) P(x) P(s) Prover Verifier 34

  35. The evaluation point should be hidden s P’ ≠ P(x) P’ P(x) Prover Verifier 35

  36. The evaluation point should be hidden s P’ t(s) = t(s) v(s) s Enc( s ) P’ P(x) P’ Prover Verifier 36

  37. Encoding of evaluation point s Enc( s ) P(s) = ? P(x) Prover Verifier 37

  38. Encoding Properties Enc( P (s)) Enc(s 2 ) Enc(s d ) Enc(s) Enc(s i ) = Σ p i Encoding: ● linearly homomorphic Prover Verifier 38

  39. Succinct Proof Enc( P (s)) Enc(s 2 ) Enc(s d ) Enc(s) Proof π = e z i s t n a t s n o f o C o r P Prover Verifier 39

  40. Verification Polynomial problem Given v(x), t(x) . Find P(x) such that P(x) t(x) = v(x) P π = v(s) P t (s) Encoding: ● linearly homomorphic ● quadratic root detection Prover Verifier ● image verification 40

  41. Security 41

  42. Non-falsifiable Assumption: Linear-Only Enc(m 1 ) Enc(m 2 ) Enc(m n ) L-O Enc( M ) a 1 a 2 a d M = m 1 + m 2 + + m d 42

  43. Our SNARG C The SNARG Definitions Construction END Background Option Option Option for SNARGs Security Tale 1 Tale 1 Tale 2 s s s 43

  44. Polynomial problem Square Arithmetic Programs Computational Model For Arithmetic Circuits 44

  45. Arithmetic Circuit Satisfiability Problem a 1 a 2 a 3 a 4 + + + a 5 + + , a 3 )= a 6 f(a 1 statement: a 1 , a 3 , a 6 a 6 witness: a 2 , a 4 , a 5 45

  46. NEW Representation: Square Arithmetic Program SAP a 1 a 2 a 3 a 4 + + Square Arithmetic Program a 5 SAP + a 6 46

  47. Polynomial problem Encodings Lattice-Based Assumptions 47

  48. Encodings Instantiations: Discrete Log DLog Group Linearly homomorphic: Quadratic root detection ( public ) ? s 2 s d g s g g ? 48

  49. Post-Quantum: Encryption Scheme Encryption scheme Quadratic root detection needs sk Linearly homomorphic: ? E pk (s) E pk (s 2 ) E pk (s d ) E (h(s)) E (p(s)) 49

  50. SNARK from SAP p(s), h(s) Proof: Circuit Evaluate for f( ⋅ ) in a point ? t (s)h(s)=p(s) p(s)= V(s) 2 -1 Find h(x) Verify Verify t(x)h(x)=p(x) h(s) the proof SAP p(s) 50

  51. Proof: Evaluate solution in s a 1 a 2 a 3 a 4 α s α s 2 α s d + + + a 5 + + a 6 A π = E ( α V (s)) 51

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai,

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai,

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation ( ) has emerged as a central hub

648 views • 36 slides
Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli,

Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli,

Sub-Linear Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli, Rafael del Pino, Jens Groth and Vadim Lyubashevsky Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits 2

712 views • 33 slides
RNS Arithmetic Approach in Lattice-based Cryptography Accelerating the Rounding-off Core

RNS Arithmetic Approach in Lattice-based Cryptography Accelerating the Rounding-off Core

22nd IEEE Symposium on Computer Arithmetic RNS Arithmetic Approach in Lattice-based Cryptography Accelerating the Rounding-off Core Procedure Jean-Claude Bajard , Julien Eynard Nabil Merkiche , Thomas Plantard Sorbonne

383 views • 25 slides
Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2

Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2

Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 CNRS and ENS Lyon, France 2 Nanyang Technological University, Singapore CRYPTO 2018, 20 August 2018 Zero-Knowledge

422 views • 30 slides
Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 Ecole Normale Sup erieure de Lyon (France) 2

681 views • 33 slides
Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert 1 San Ling 2 Fabrice Mouhartem 1 Beno Khoa Nguyen 2 Huaxiong Wang 2 1 Ecole Normale Sup erieure de Lyon (France) 2 Nanyang Technological

618 views • 46 slides
Short, Invertible Elements in Partially Splitting Cyclotomic Rings and Applications to

Short, Invertible Elements in Partially Splitting Cyclotomic Rings and Applications to

Short, Invertible Elements in Partially Splitting Cyclotomic Rings and Applications to Lattice-Based Zero-Knowledge Proofs Vadim Lyubashevsky Gregor Seiler IBM Research Zurich April 30, 2018 Motivation: Lattice-Based Zero-Knowledge Proofs

790 views • 42 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

849 views • 47 slides
Accelerating lattice reduction algorithms with floating-point arithmetic Damien Stehl e

Accelerating lattice reduction algorithms with floating-point arithmetic Damien Stehl e

Background on Euclidean lattices Hybrid algorithms for LLL-reduction The fplll library Conclusion Accelerating lattice reduction algorithms with floating-point arithmetic Damien Stehl e http://perso.ens-lyon.fr/damien.stehle/ LIP

766 views • 74 slides
Knowledge-Based Agents knowledge knowledge representation, knowledge base, types of knowledge

Knowledge-Based Agents knowledge knowledge representation, knowledge base, types of knowledge

CPE/CSC 580-S06 Artificial Intelligence Intelligent Agents Knowledge-Based Agents knowledge knowledge representation, knowledge base, types of knowledge wumpus world example of knowledge-based agents knowledge representation language

325 views • 31 slides
Distribution of dense lattice orbits on homogeneous spaces June 6, 2013 Ergodic Theory with

Distribution of dense lattice orbits on homogeneous spaces June 6, 2013 Ergodic Theory with

Distribution of dense lattice orbits on homogeneous spaces June 6, 2013 Ergodic Theory with connections to arithmetic University of Crete, Iraklion Amos Nevo, Technion based on joint work with Alex Gorodnik Wrawick, ETDS 30 Plan Classical

826 views • 81 slides
2 1 Joppe W. Bos and Simon Friedberger Why these strange primes? 2 Quantum

2 1 Joppe W. Bos and Simon Friedberger Why these strange primes? 2 Quantum

Fast Arithmetic Modulo 2 1 Joppe W. Bos and Simon Friedberger Why these strange primes? 2 Quantum computers NIST call for PQC standards [1] [2] Post-Quantum Cryptography 3 Lattice-based Code-based MQ-based

524 views • 25 slides
SNARGs for P, and more, from poly-secure PIR Justin Holmgren Joint work with Zvika Brakerski and

SNARGs for P, and more, from poly-secure PIR Justin Holmgren Joint work with Zvika Brakerski and

1 SNARGs for P, and more, from poly-secure PIR Justin Holmgren Joint work with Zvika Brakerski and Yael Kalai 1 With RAM efficiency for the prover Verifiable Computation: What we want Common Reference String Hey! f(x) = y. Heres a

312 views • 14 slides
Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based Cryptography Why Lattice-based Crypto? o Exponentially Hard (so far) o Quantum-Resistant (so far) o Worst-case hardness (unique feature of

699 views • 38 slides
Developments in PCP (Performance Co-Pilot) Nathan Scott Performance Tools, Red Hat January 2015

Developments in PCP (Performance Co-Pilot) Nathan Scott Performance Tools, Red Hat January 2015

Developments in PCP (Performance Co-Pilot) Nathan Scott Performance Tools, Red Hat January 2015 linux.conf.au 1 Outline Performance Co-Pilot (PCP) Overview PCP Basics General JSON access Containers in PCP New

732 views • 13 slides
PCP Lecture 26 And Hardness of Approximation 1 Promise Problems 2 Promise Problems Decision

PCP Lecture 26 And Hardness of Approximation 1 Promise Problems 2 Promise Problems Decision

PCP Lecture 26 And Hardness of Approximation 1 Promise Problems 2 Promise Problems Decision problems, but with dont cares 2 Promise Problems Decision problems, but with dont cares Specified by a Yes set and a No set,

1.73k views • 135 slides
1 Person/Family Centered Planning Person or Family-Centered Planning is a practice that:

1 Person/Family Centered Planning Person or Family-Centered Planning is a practice that:

Person Centered Planning 101 FY 2019 Course Objectives Through the Person Centered Planning process, individuals receiving CMH supports identify their goals, hopes, interests and preferences. Its much more than just creating a plan

482 views • 9 slides
The rst index has to b e 1 b ecause only the pair 10 and 101 b egin with

The rst index has to b e 1 b ecause only the pair 10 and 101 b egin with

P ost's Corresp ondence Problem An undecidable, but RE, problem that app ears not to ha v e an ything to do with TM's. Giv en t w o lists of \corresp onding" strings ( w ; w ; : : : ; w ) and

210 views • 5 slides
Post Correspondence Problem Suppose we have dominos of strings, e.g.: b a ca abc ca ab a c

Post Correspondence Problem Suppose we have dominos of strings, e.g.: b a ca abc ca ab a c

[Section 5.2] Post Correspondence Problem Suppose we have dominos of strings, e.g.: b a ca abc ca ab a c The question: is it possible to arrange the dominos in line (repetitions of dominos are allowed) in such a way so that the top

797 views • 4 slides
Efgicient Turing Machines CSCI 3130 Formal Languages and Automata Theory Siu On CHAN Chinese

Efgicient Turing Machines CSCI 3130 Formal Languages and Automata Theory Siu On CHAN Chinese

1/31 Efgicient Turing Machines CSCI 3130 Formal Languages and Automata Theory Siu On CHAN Chinese University of Hong Kong Fall 2016 2/31 Undecidability of PCP (optional) 3/31 Undecidability of PCP The language PCP is undecidable We will

329 views • 31 slides
Lecture 19: PCP Theorem and Hardness of Approximation II Arijit Bishnu 28.04.2010 Constraint

Lecture 19: PCP Theorem and Hardness of Approximation II Arijit Bishnu 28.04.2010 Constraint

Constraint Satisfaction Problems Inapproximability of Independent Set Lecture 19: PCP Theorem and Hardness of Approximation II Arijit Bishnu 28.04.2010 Constraint Satisfaction Problems Inapproximability of Independent Set Outline 1

299 views • 16 slides
& Business Program Stefanie Chang Manager, Advantech Global Business Operation December 6,

& Business Program Stefanie Chang Manager, Advantech Global Business Operation December 6,

Advantechs Channel Strategy & Business Program Stefanie Chang Manager, Advantech Global Business Operation December 6, 2019 Transformation of Advantech Channel Management Channel Positioning Global Channel Regional Channel

365 views • 13 slides

More recommend