scalable transparent arguments of knowledge
play

Scalable Transparent ARguments-of-Knowledge Michael Riabzev - PowerPoint PPT Presentation

Aug 17, 2022 •267 likes •599 views

Our result Features A peak under the hood Summary Scalable Transparent ARguments-of-Knowledge Michael Riabzev Department of Computer Science, Technion DIMACS Workshop on Outsourcing Computation Securely Joint work with Eli Ben-Sasson, Iddo

  1. Our result Features A peak under the hood Summary Scalable Transparent ARguments-of-Knowledge Michael Riabzev Department of Computer Science, Technion DIMACS Workshop on Outsourcing Computation Securely Joint work with Eli Ben-Sasson, Iddo Bentov, and Yinon Horesh 1/21

  2. Our result Features A peak under the hood Summary Talk outline • Our result • Novel theory review (Low degree testing) • Concrete implementation performance review 2/21

  3. Our result Features A peak under the hood Summary Our result Features A peak under the hood Improvements Novel low-degree test Measurements Summary 3/21

  4. Our result Features A peak under the hood Summary Our result Today I will tell you about STARK: • “Scalable Transparent ARgument of Knowledge” W • New construction (theory+implementation 1 ) ( P , X , T ) featuring: • Perfect witness-indistinguishability Prover Verifier • Publicly verifiable • No trusted-setup P ( X , W ) ⊢ < T accept • Universal • Succinct verification • And additionally: • Post-quantum secure • Scalable prover (quasi-linear) 1Proof-of-concept in C++ 4/21

  5. Our result Features A peak under the hood Summary Our result Features A peak under the hood Improvements Novel low-degree test Measurements Summary 5/21

  6. Our result Features A peak under the hood Summary Computational model Interactive Oracle Proofs (IOP)[BCS16, RRR16] 2 : • A generalization of IP[GMR89] and PCP[BFL91, AS98] • Verifier interacts with the Prover • Prover’s messages too big for the verifier to read entirely • Also known as oracles 2 also known as PCIP in [RRR16] 6/21

  7. Our result Features A peak under the hood Summary Computational model Interactive Oracle Proofs (IOP)[BCS16, RRR16] 2 : • A generalization of IP[GMR89] and PCP[BFL91, AS98] • Verifier interacts with the Prover • Prover’s messages too big for the verifier to read entirely • Also known as oracles Realistic argument-system: • Using Merkle trees [Kil92, Kil95, Mic00, BCS16] • Noninteractive system : Fiat-Shamir heuristic 2 also known as PCIP in [RRR16] 6/21

  8. Our result Features A peak under the hood Summary Cryptographic assumption • Inner protocol (IOP): • Provably sound 3 • Provably perfect zero-knowledge • Compilation to (noninteractive) argument system: • Using the random oracle model • Implementation: • Simulating a random-oracle using a hash-function 3 Implementation uses security conjectures to improve concrete efficiency. 7/21

  9. Our result Features A peak under the hood Summary Our result Features A peak under the hood Improvements Novel low-degree test Measurements Summary 8/21

  10. Our result Features A peak under the hood Summary Our result Features A peak under the hood Improvements Novel low-degree test Measurements Summary 9/21

  11. Our result Features A peak under the hood Summary STARK (this work) introduces improvements over SCI [BBCGGHPRSTV17] in several aspects: (Ben-Sasson, Bentov, Chiesa, Gabizon, Genkin, Hamilis, Pergament, R, Silberstein, Tromer, Virza) • Privacy — witness indistinguishability based on [BCGV16] 10/21

  12. Our result Features A peak under the hood Summary STARK (this work) introduces improvements over SCI [BBCGGHPRSTV17] in several aspects: (Ben-Sasson, Bentov, Chiesa, Gabizon, Genkin, Hamilis, Pergament, R, Silberstein, Tromer, Virza) • Privacy — witness indistinguishability based on [BCGV16] • Arithmetization — optimized for interactive systems • Disclaimer: RAM usage introduces ∼ 8 T log T additive overhead to witness size • in addition to O ( T ) witness size when no RAM is used • Derived from SCI 10/21

  13. Our result Features A peak under the hood Summary STARK (this work) introduces improvements over SCI [BBCGGHPRSTV17] in several aspects: (Ben-Sasson, Bentov, Chiesa, Gabizon, Genkin, Hamilis, Pergament, R, Silberstein, Tromer, Virza) • Privacy — witness indistinguishability based on [BCGV16] • Arithmetization — optimized for interactive systems • Disclaimer: RAM usage introduces ∼ 8 T log T additive overhead to witness size • in addition to O ( T ) witness size when no RAM is used • Derived from SCI • Low degree test — optimized for interactive systems 10/21

  14. Our result Features A peak under the hood Summary STARK (this work) introduces improvements over SCI [BBCGGHPRSTV17] in several aspects: (Ben-Sasson, Bentov, Chiesa, Gabizon, Genkin, Hamilis, Pergament, R, Silberstein, Tromer, Virza) • Privacy — witness indistinguishability based on [BCGV16] • Arithmetization — optimized for interactive systems • Disclaimer: RAM usage introduces ∼ 8 T log T additive overhead to witness size • in addition to O ( T ) witness size when no RAM is used • Derived from SCI • Low degree test — optimized for interactive systems • Hash-tree commitment — optimization based on queries patter • Reducing communication complexity 10/21

  15. Our result Features A peak under the hood Summary STARK (this work) introduces improvements over SCI [BBCGGHPRSTV17] in several aspects: (Ben-Sasson, Bentov, Chiesa, Gabizon, Genkin, Hamilis, Pergament, R, Silberstein, Tromer, Virza) • Privacy — witness indistinguishability based on [BCGV16] • Arithmetization — optimized for interactive systems • Disclaimer: RAM usage introduces ∼ 8 T log T additive overhead to witness size • in addition to O ( T ) witness size when no RAM is used • Derived from SCI • Low degree test — optimized for interactive systems • Hash-tree commitment — optimization based on queries patter • Reducing communication complexity • System — code optimizations 10/21

  16. Our result Features A peak under the hood Summary STARK (this work) introduces improvements over SCI [BBCGGHPRSTV17] in several aspects: (Ben-Sasson, Bentov, Chiesa, Gabizon, Genkin, Hamilis, Pergament, R, Silberstein, Tromer, Virza) • Privacy — witness indistinguishability based on [BCGV16] • Arithmetization — optimized for interactive systems • Disclaimer: RAM usage introduces ∼ 8 T log T additive overhead to witness size • in addition to O ( T ) witness size when no RAM is used • Derived from SCI • Low degree test — optimized for interactive systems • Hash-tree commitment — optimization based on queries patter • Reducing communication complexity • System — code optimizations 10/21

  17. Our result Features A peak under the hood Summary STARK (this work) introduces improvements over SCI [BBCGGHPRSTV17] in several aspects: (Ben-Sasson, Bentov, Chiesa, Gabizon, Genkin, Hamilis, Pergament, R, Silberstein, Tromer, Virza) • Privacy — witness indistinguishability based on [BCGV16] • Arithmetization — optimized for interactive systems • Disclaimer: RAM usage introduces ∼ 8 T log T additive overhead to witness size • in addition to O ( T ) witness size when no RAM is used • Derived from SCI • Low degree test — optimized for interactive systems • Hash-tree commitment — optimization based on queries patter • Reducing communication complexity • System — code optimizations In this talk we focus on the novel low-degree test 10/21

  18. Our result Features A peak under the hood Summary Our result Features A peak under the hood Improvements Novel low-degree test Measurements Summary 11/21

  19. Our result Features A peak under the hood Summary IOPP novel low-degree test Theorem ([BBHR17]) Given oracle access to an evaluation f ∶ S → F 2 n over F 2 linear subspace S ⊂ F 2 n , there is an IOPP protocol to verify f is close to degree d < ∣ S ∣ 3 , with the following properties: • Total proof size < ∣ S ∣ 2 . • Round complexity log ∣ S ∣ . 2 • Prover complexity < 4 ∣ S ∣ arithmetic operations over F 2 n . • Highly parallelizable. • Query complexity is 2log ∣ S ∣ . • Soundness: Pr [ Reject ∣ dist ( f , C ) = δ ] ≥ min ( δ, 1 4 − 3 d 4 ∣ S ∣ ) − 3 ∣ S ∣ ∣ F 2 n ∣ . • Close to δ in the unique-decoding-radius. • Shown to be tight there. 12/21

  20. Our result Features A peak under the hood Summary Low-degree testing in the Interactive-Oracle-Proof model • Redundancy addition: Prover transforms univariate polynomial p ( x ) into a bivariate polynomial Q ( x , y ) • Invariant: deg y ( Q ) = deg ( p )/ 4 • Verification: Verifier chooses random x 0 and verifies q ( y ) = Q ( x 0 , y ) is low-degree • By repeating the test recursively • Until deg ( q ) is small enough ⋰ ⋮ ⋱ ⋰ ⋮ ⋱ 13/21

  21. Our result Features A peak under the hood Summary Low-degree testing — more details The transformation T ∶ F [ x ] → F [ x , y ] is basically a biased version of [ ? ]: • p ( x ) ∈ F [ x ] is evaluated over V = Span { b 1 , b 2 ,..., b n } • Define: • V 0 ∶ = Span { b 1 , b 2 } • V 1 ∶ = Span { b 3 ,..., b n } • Z V 0 ( x ) ∶ = ∏ ( x − α ) α ∈ V 0 • T ( p ) = Q ( x , y ) where Q ( x , y ) ∶ = p ( x ) mod ( y − Z V 0 ( x )) • Features: • ∀ x ∶ Q ( x , Z v 0 ( x )) = p ( x ) ⋰ ⋮ ⋱ ⋰ ⋮ ⋱ • deg x ( Q ) < 4 • deg y ( Q ) = deg ( p )/ 4 14/21

  22. Our result Features A peak under the hood Summary Low-degree testing — advantages of interactivity • Deeper recursion is possible due to provers adaptivity • ‘Lightweight’ prover algorithm • Better soundness: • Rows are low degree by definition • Any column can be queried ⋰ ⋮ ⋱ ⋰ ⋮ ⋱ 15/21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Zero-knowledge Arguments Proving circuit satisfaibility in zero-knowledge Zero-knowledge In

Zero-knowledge Arguments Proving circuit satisfaibility in zero-knowledge Zero-knowledge In

Short Pairing-based Non-interactive Zero-knowledge Arguments Proving circuit satisfaibility in zero-knowledge Zero-knowledge In a zero knowledge protocol a prover can convince a verifier that some statement is true without leaking any side

628 views • 14 slides
Zero Knowledge Succinct Noninteractive ARguments of Knowledge Saravanan Vijayakumaran

Zero Knowledge Succinct Noninteractive ARguments of Knowledge Saravanan Vijayakumaran

Zero Knowledge Succinct Noninteractive ARguments of Knowledge Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay October 15, 2019 1 / 24 zkSNARKs Arguments ZK proofs

435 views • 24 slides
Highly-Scalable Transparent Performance Enhancing Proxy Verizon: Jae Won Chung, Xiaoxiao Jiang,

Highly-Scalable Transparent Performance Enhancing Proxy Verizon: Jae Won Chung, Xiaoxiao Jiang,

Highly-Scalable Transparent Performance Enhancing Proxy Verizon: Jae Won Chung, Xiaoxiao Jiang, Manish Kurup, Sriram Sridhar Mojatatu Networks: Jamal Hadi Salim, Roman Mashak November 10, 2017 Confidential and proprietary materials for

620 views • 23 slides
Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli,

Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli,

Sub-Linear Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli, Rafael del Pino, Jens Groth and Vadim Lyubashevsky Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits 2

712 views • 33 slides
Transparent Fault Tolerance for Scalable Functional Computation Rob Stewart 1 Patrick Maier 2 Phil

Transparent Fault Tolerance for Scalable Functional Computation Rob Stewart 1 Patrick Maier 2 Phil

Transparent Fault Tolerance for Scalable Functional Computation Rob Stewart 1 Patrick Maier 2 Phil Trinder 2 26 th July 2016 1 Heriot-Watt University Edinburgh 2 University of Glasgow Motivation Tolerating faults with irregular parallelism The

802 views • 49 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
TOWARDS TRANSPARENT ZERO- KNOWLEDGE COMPUTATION - BASED ON 10 YEARS OF COMMERCIAL USE Kurt

TOWARDS TRANSPARENT ZERO- KNOWLEDGE COMPUTATION - BASED ON 10 YEARS OF COMMERCIAL USE Kurt

TOWARDS TRANSPARENT ZERO- KNOWLEDGE COMPUTATION - BASED ON 10 YEARS OF COMMERCIAL USE Kurt Nielsen (Co-founder and CEO Partisia) Transparency and scalability PROTOCOLS PLATFORMS Landmark paper Secure Multiparty Computation Goes Live

773 views • 21 slides
Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2

Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2

Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 CNRS and ENS Lyon, France 2 Nanyang Technological University, Singapore CRYPTO 2018, 20 August 2018 Zero-Knowledge

422 views • 30 slides
Andrew Design Goals Transparent file naming in single name space Scalable -- O(1000s)

Andrew Design Goals Transparent file naming in single name space Scalable -- O(1000s)

COMP 790-088 -- Distributed File Systems Andrew File System COMP 790-088 -- Fall 2009 1 1 Andrew Design Goals Transparent file naming in single name space Scalable -- O(1000s) Performance approximating local files Low

470 views • 8 slides
On Diophantine Complexity and Statistical Zero-Knowledge Arguments Helger Lipmaa Helsinki

On Diophantine Complexity and Statistical Zero-Knowledge Arguments Helger Lipmaa Helsinki

On Diophantine Complexity and Statistical Zero-Knowledge Arguments Helger Lipmaa Helsinki University of Technology http://www.tcs.hut.fi/helger Pedase Theory Day, 04.10.2003 On Diophantine Complexity and SZK Arguments, Helger Lipmaa 1

501 views • 24 slides
Transferring knowledge from discourse to arguments: A case study with scientific abstracts Pablo

Transferring knowledge from discourse to arguments: A case study with scientific abstracts Pablo

Transferring knowledge from discourse to arguments: A case study with scientific abstracts Pablo Accuosto Horacio Saggion Large-Scale Text Understanding Systems Lab, NLP Group (LaSTUS/TALN) Universitat Pompeu Fabra ArgMining 2019 ACL

639 views • 33 slides
Classical arguments that for us is a PP complement of easy The following arguments are the

Classical arguments that for us is a PP complement of easy The following arguments are the

Classical arguments that for us is a PP complement of easy The following arguments are the principle bases for the claim that tough predicates select the control complement structure, along with a brief indication of why these arguments fail to

330 views • 8 slides
KnowledgeStore Scalable Framework for Interlinking Text and Knowledge Marco Rospocher

KnowledgeStore Scalable Framework for Interlinking Text and Knowledge Marco Rospocher

KnowledgeStore Scalable Framework for Interlinking Text and Knowledge Marco Rospocher Fondazione Bruno Kessler (FBK) rospocher@fbk.eu :: @marcorospocher KnowledgeStore A scalable, fault-tolerant, and Semantic Web grounded storage

695 views • 23 slides
Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 Ecole Normale Sup erieure de Lyon (France) 2

681 views • 33 slides
Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert 1 San Ling 2 Fabrice Mouhartem 1 Beno Khoa Nguyen 2 Huaxiong Wang 2 1 Ecole Normale Sup erieure de Lyon (France) 2 Nanyang Technological

618 views • 46 slides
A Scalable Approach to Incrementally Building Knowledge Graphs Gleb Gawriljuk (KIT), Andreas

A Scalable Approach to Incrementally Building Knowledge Graphs Gleb Gawriljuk (KIT), Andreas

A Scalable Approach to Incrementally Building Knowledge Graphs Gleb Gawriljuk (KIT), Andreas Harth (KIT), Craig A. Knoblock (USC), Pedro Szekely (USC) INSTITUTE AIFB, CHAIRS OF KNOWLEDGE MANAGEMENT AND WEB SCIENCE

636 views • 30 slides
INTERVEHICULAR COMMUNICATION SYSTEMS Daniel Lpez Garca Zakaria Kasmi Institut fr

INTERVEHICULAR COMMUNICATION SYSTEMS Daniel Lpez Garca Zakaria Kasmi Institut fr

INTERVEHICULAR COMMUNICATION SYSTEMS Daniel Lpez Garca Zakaria Kasmi Institut fr Informatik Takustrasse 9 14195 Berlin 1 Outline Introduction Requirements Topology OSI layers -MAC/PHY -Network Vehicular Colision Warning

376 views • 19 slides
ACACES 2018 Summer School GPU Architectures: Basic to Advanced Concepts Adwait Jog, Assistant

ACACES 2018 Summer School GPU Architectures: Basic to Advanced Concepts Adwait Jog, Assistant

ACACES 2018 Summer School GPU Architectures: Basic to Advanced Concepts Adwait Jog, Assistant Professor College of William &amp; Mary (http://adwaitjog.github.io/) William &amp; Mary - Second oldest-institution of higher education in the

581 views • 43 slides
2/17/16 FAITH AND WORK: A PRACTICAL THEOLOGY OF WORK The Value of Work; Decision Making and

2/17/16 FAITH AND WORK: A PRACTICAL THEOLOGY OF WORK The Value of Work; Decision Making and

2/17/16 FAITH AND WORK: A PRACTICAL THEOLOGY OF WORK The Value of Work; Decision Making and the Connection of: Spiritual/Personal/Work Life Case Studies Part III 2 Week 6 I. Housekeeping II. Questions: Yours and ours III. Connections

215 views • 6 slides
14.581 International Trade Lecture 26: Trade Policy Empirics (II) 14.581 Spring 2013

14.581 International Trade Lecture 26: Trade Policy Empirics (II) 14.581 Spring 2013

14.581 International Trade Lecture 26: Trade Policy Empirics (II) 14.581 Spring 2013 14.581 Trade Policy Empirics (II) Spring 2013 1 / 24 Plan for 2 lectures on empirics of trade policy Explaining trade policy in isolation. 1 Emphasis

764 views • 25 slides
Intra-Vehicular Wireless Sensor Networks Sinem Coleri Ergen (joint with Yalcin Sadi, C. Umit Bas)

Intra-Vehicular Wireless Sensor Networks Sinem Coleri Ergen (joint with Yalcin Sadi, C. Umit Bas)

Intra-Vehicular Wireless Sensor Networks Sinem Coleri Ergen (joint with Yalcin Sadi, C. Umit Bas) Wireless Networks Laboratory, Electrical and Electronics Engineering, Koc University Outline Motivation for Intra-Vehicular Wireless Sensor

322 views • 19 slides
Network Flow-based Simultaneous Retiming and Slack Budgeting for Low Power Design Bei Yu 1 Sheqin

Network Flow-based Simultaneous Retiming and Slack Budgeting for Low Power Design Bei Yu 1 Sheqin

Outline Network Flow-based Simultaneous Retiming and Slack Budgeting for Low Power Design Bei Yu 1 Sheqin Dong 1 Yuchun Ma 1 Tao Lin 1 Yu Wang 1 Song Chen 2 Satoshi GOTO 2 1 Department of Computer Science &amp; Technology Tsinghua University,

527 views • 21 slides
Xen Security Modules (XSM) George Coker National Information Assurance Research Lab National

Xen Security Modules (XSM) George Coker National Information Assurance Research Lab National

Xen Security Modules (XSM) George Coker National Information Assurance Research Lab National Security Agency (NSA) gscoker@alpha.ncsc.mil National Information Assurance Research Lab 1 UNCLASSIFIED What is XSM? A generalized

342 views • 33 slides
3D RECONSTRUCTION Reconstruction method Reconstruction from images Reconstruction from video

3D RECONSTRUCTION Reconstruction method Reconstruction from images Reconstruction from video

3D RECONSTRUCTION Reconstruction method Reconstruction from images Reconstruction from video Using Kinect Raw Depth Image Infrared laser projector Monochrome CMOS sensor Demo Kinect Raw data Real-time Reconstruction Pipeline Measurement

508 views • 34 slides

More recommend