Standardizing Commit-and-Prove ZK Daniel Benarroch Matteo - - PowerPoint PPT Presentation

standardizing commit and prove zk
SMART_READER_LITE
LIVE PREVIEW

Standardizing Commit-and-Prove ZK Daniel Benarroch Matteo - - PowerPoint PPT Presentation

Dec 04, 2023 438 likes •643 views

Standardizing Commit-and-Prove ZK Daniel Benarroch Matteo Campanelli Dario Fiore IMDEA Software Institute, IMDEA Software Institute, QEDIT Madrid Madrid 2 nd ZKProof Workshop ZK P V . . . Look, V, I know u such that R(u) holds.

slide-1
SLIDE 1

Dario Fiore Matteo Campanelli

Standardizing Commit-and-Prove ZK

IMDEA Software Institute, Madrid

Daniel Benarroch

QEDIT IMDEA Software Institute, Madrid

2nd ZKProof Workshop

slide-2
SLIDE 2

ZK

. . .

P V

Look, V, I know u such that R(u) holds.

slide-3
SLIDE 3

Commit-and-Prove (CP) ZK

. . .

P V

u Rcom(c, u) := R(u) AND c u

  • pens

Commit-and-Prove ZKP: A ZKP for the relation

Look, V, I know u such that R(u) holds. And, by the way,

  • pens

u

slide-4
SLIDE 4

Motivation: Soundness + Integrity

Composition of proof systems [CFQ19,Folklore] CP in several applications presented in this workshop

More: One example (from [WZCPS18])

training algorithm

public ML model

commit

public commitment

proof

slide-5
SLIDE 5

Applications Abstractions Implementation

My goal:

throwing things at you re CP standards.

Caveats on the focus:

Non-Interactive case

slide-6
SLIDE 6

What? How (much)?

Standardizing CP

Why?

slide-7
SLIDE 7

Why? What? How (much)?

Standardizing CP

slide-8
SLIDE 8

Why Discussing a Standard for CP?

  • Extensive usage
  • → Typical reasons to standardize


(maximize compatibility, etc.)

  • Idiosyncratic reasons
  • CP requires a particular type of interoperability

NEXT: let’s give an example

slide-9
SLIDE 9

Interoperability and CP

Intuition:

Different CPZK operate on the same representation (the commitment). This representation is part of the relation.

= Commit(D)

Rbank(D) AND D

  • pens

Rempl(D) AND D

  • pens

Me D

my data

πbank πemployer

Rland(D) AND D

  • pens

πlandlord

slide-10
SLIDE 10

Why? What? How (much)?

Standardizing CP

slide-11
SLIDE 11

Step 0: One Single Notion for CPZK

An arbitrary relation for CP:

Rcom(ck, c, u) := R(u) AND “c opens to u w.r.t. ck”

* NB: this distinction makes sense for systems with trusted setup.

Recall KG syntax: srs <- ZK.KeyGen(R) There exist two notions in literature; they treat ck differently*

(ck, srs) <- ZKCP.KeyGen(R)

Notion (B)

(ck input of KG)

[CFQ19,Lipmaa16,~EG14]

Notion (A)

(ck output of KG)

[Geppetto]

srs <- ZKCP.KeyGen(ck, R) ck <- Com.Setup()

. . .

slide-12
SLIDE 12

Comparing Notions

Commitment depends on R and on scheme. Quite specific. Decouples commitment, R and scheme. Enables nice applications for CP

(e.g. commit-ahead-of-time, etc.) May be the notion worth standardizing

In the remainder of this presentation I will assume (B) as a CP notion to standardize

Notion (A)

(ck output of KG)

Notion (B)

(ck input of KG)

(ck, srs) <- ZKCP.KeyGen(R) srs <- ZKCP.KeyGen(ck, R)

slide-13
SLIDE 13

What to standardize?

Plausibly, commitments. Why?

  • 2. Commitments are the

“interoperability bottleneck” and they are part of the relation. At least we may need to agree on their syntax.

Rland(D) AND D

  • pens

= Commit(D)

Rbank(D) AND D

  • pens

Rempl(D) AND D

  • pens

Me D

πbank πemployer πlandlord

my data

  • 1. CPZK ~ ZK + Commitment
slide-14
SLIDE 14

A Commitment Syntax

D

  • pens

GOAL: A syntax for

As for CP , different notions of “opening” are possible. Let’s agree on one. A possible syntax:

𝖶𝗀𝗓𝖣𝗉𝗇(ck, c, D, o) → b ∈ {0,1}

“c opens to data D through opening o w.r.t. ck” Contrast this with (the more common)

𝖯𝗊𝖿𝗈(ck, c, o) → D ∈ {0,1}*

“Verification”-flavored (opening always carries D) “Reconstruction”-flavored (need to be able to recompute D from (c,o))

slide-15
SLIDE 15

A Definition for CP* [CDQ19]

R( x , u , ω )

Public input Committed witness “free" witness

*credits to Dario Fiore for the slide.

  • Def. A CP-NIZK for relation R and commitment scheme Com is a NIZK for the

relation Rcom ≔ (ck, R) s.t.

Rcom( x, c, u, o, ω ) ≔ “ R( x, u, ω ) = 1 ⋀ VfyCom(ck, c, u, o) = 1 ”

CP syntax.

KeyGen(ck, R) → srs = (ek, vk) Prove(ek, x, c, u, o, ω) → 𝝆 Ver(vk, x, c, 𝝆) → 0/1

slide-16
SLIDE 16

Why? What? How (much)?

Standardizing CP

slide-17
SLIDE 17

CP and Relation Representation

Rbank(D) AND D

  • pens

A Commit-and-prove relation shows separation of concerns:

Domain Logic “Protocol” Logic

Q: Could CP be standardized at the level of relation representation?

slide-18
SLIDE 18

define_rel( name: myComAndProveRel, vars:( X: Field, comY: Commitment(Field) ), constraints: /* Domain logic R(X,Y) */ )

CP and Relation Representation (cont.)

Q: Could we do the same for other cryptographic constructs?

Could compile automatically to R* that:

  • 1. shows opening of Y
  • 2. applies domain logic
  • n domain input values (X,Y)

Domain Logic

X Y

VfyCom

CY OY

slide-19
SLIDE 19

Not only Commit-and-Prove

define_rel( name: mySigAndProveRel, vars:( X: Field, sigY: Sign(Field) ), constraints: /* Domain logic R(X,Y) */ )

Could compile automatically to R* that:

  • 1. verifies signature on Y
  • 2. applies domain logic
  • n domain input values (X,Y)

Domain Logic

X Y

VfySig

SY

slide-20
SLIDE 20

Final Remarks/Qs

  • What abstraction(s) for CP?
  • def. should decouple commitment and relation (or

should it?)

  • Current proposal:
  • modularity
  • enable “nice” properties (commit-ahead-of-time, etc.)
  • Standardizing commitments? Which syntax?
  • Should we separate “domain” and “protocol” logic?
  • Standardizing applications, implementation, etc…?

Thanks!