Ze Zero-Kn Knowledge Pr Proofs on on Se Secr cret-Sh Shared - - PowerPoint PPT Presentation

β–Ά
ze zero kn knowledge pr proofs on on se secr cret sh
SMART_READER_LITE
LIVE PREVIEW

Ze Zero-Kn Knowledge Pr Proofs on on Se Secr cret-Sh Shared - - PowerPoint PPT Presentation

Aug 15, 2022 512 likes β€’1.2k views

Ze Zero-Kn Knowledge Pr Proofs on on Se Secr cret-Sh Shared Data ta via via Fully Lin inear ear PCPs PCPs Dan Boneh Elette Boyle Henry Corrigan-Gibbs Niv Gilboa Yuval Ishai Ben-Gurion Stanford IDC Herzliya Stanford Technion

slide-1
SLIDE 1

Ze Zero-Kn Knowledge Pr Proofs

  • n
  • n Se

Secr cret-Sh Shared Data ta

via via Fully Lin inear ear PCPs PCPs

Dan Boneh Elette Boyle Henry Corrigan-Gibbs Niv Gilboa Yuval Ishai Stanford IDC Herzliya Stanford Ben-Gurion University Technion

slide-2
SLIDE 2

Rev Review ew

Zero-knowledge proofs

36

Verifier π‘Š

3-coloring of 𝐻 𝐻

Prover 𝑄 Co Compl

  • mplete. Honest 𝑄 convinces honest π‘Š.

So Sound. Dishonest π‘„βˆ— rarely fools honest π‘Š. ZK ZK. Dishonest π‘Šβˆ— learns only that 𝐻 ∈ 3COL.

Γ  π‘Šβˆ— le learns ns no nothing hing els lse about 𝐻

[GMR89]

slide-3
SLIDE 3

Rev Review ew

Zero-knowledge proofs

37

Verifier π‘Š

3-coloring of 𝐻 𝐻 β€œπ» is 3-colorable”

Prover 𝑄 Co Compl

  • mplete. Honest 𝑄 convinces honest π‘Š.

So Sound. Dishonest π‘„βˆ— rarely fools honest π‘Š. ZK ZK. Dishonest π‘Šβˆ— learns only that 𝐻 ∈ 3COL.

Γ  π‘Šβˆ— le learns ns no nothing hing els lse about 𝐻

[GMR89]

slide-4
SLIDE 4

Rev Review ew

Zero-knowledge proofs

38

Verifier π‘Š

3-coloring of 𝐻 𝐻 β€œπ» is 3-colorable”

Prover 𝑄 Co Compl

  • mplete. Honest 𝑄 convinces honest π‘Š.

So Sound. Dishonest π‘„βˆ— rarely fools honest π‘Š. ZK ZK. Dishonest π‘Šβˆ— learns only that 𝐻 ∈ 3COL.

Γ  π‘Šβˆ— le learns ns no nothing hing els lse about 𝐻

[GMR89]

slide-5
SLIDE 5

𝐻*

Th This is pa pape per

Zero-knowledge proofs on di distribu buted data

39

Verifier π‘Š

*

3-coloring

  • f 𝐻* + 𝐻,

Verifier π‘Š

,

𝐻,

Prover 𝑄 Co Compl

  • mplete. Honest 𝑄 convinces honest π‘Š

*, π‘Š , .

So Sound. Dishonest π‘„βˆ— rarely fools honest (π‘Š

*, π‘Š ,).

Str Strong ZK

  • ZK. Dishonest π‘Š

* βˆ— (or π‘Š , βˆ—) learns only that 𝐻* + 𝐻, ∈ 3COL.

Γ  π‘Š

* le

learns ns no nothing hing els lse about 𝐻,

slide-6
SLIDE 6

𝐻*

Th This is pa pape per

Zero-knowledge proofs on di distribu buted data

40

Verifier π‘Š

*

3-coloring

  • f 𝐻* + 𝐻,

Verifier π‘Š

,

𝐻,

Prover 𝑄 Co Compl

  • mplete. Honest 𝑄 convinces honest π‘Š

*, π‘Š , .

So Sound. Dishonest π‘„βˆ— rarely fools honest (π‘Š

*, π‘Š ,).

Str Strong ZK

  • ZK. Dishonest π‘Š

* βˆ— (or π‘Š , βˆ—) learns only that 𝐻* + 𝐻, ∈ 3COL.

Γ  π‘Š

* le

learns ns no nothing hing els lse about 𝐻,

β€œπ»* + 𝐻, is 3-colorable”

slide-7
SLIDE 7

𝐻*

Th This is pa pape per

Zero-knowledge proofs on di distribu buted data

41

Verifier π‘Š

*

3-coloring

  • f 𝐻* + 𝐻,

Verifier π‘Š

,

𝐻,

Prover 𝑄 Co Compl

  • mplete. Honest 𝑄 convinces honest π‘Š

*, π‘Š , .

So Sound. Dishonest π‘„βˆ— rarely fools honest (π‘Š

*, π‘Š ,).

Str Strong ZK

  • ZK. Dishonest π‘Š

* βˆ— (or π‘Š , βˆ—) learns only that 𝐻* + 𝐻, ∈ 3COL.

Γ  π‘Š

* le

learns ns no nothing hing els lse about 𝐻,

β€œπ»* + 𝐻, is 3-colorable”

slide-8
SLIDE 8

𝐻*

Th This is pa pape per

Zero-knowledge proofs on di distribu buted data

42

Verifier π‘Š

*

3-coloring

  • f 𝐻* + 𝐻,

Verifier π‘Š

,

𝐻,

Prover 𝑄

𝒍-ro roun und p d pro rotocol = As in other multiparty protocols Publ Public ic coin

  • in = Verifiers’ messages to prover are random strings

Mo More re t than t two ve verif rifie iers rs

β€œπ»* + 𝐻, is 3-colorable”

slide-9
SLIDE 9

Sp Specia ial case

Zero-knowledge proofs on sec secret et-sh shared ed data

43

Prover

β€œπ‘¦* + 𝑦, ∈ ℒ”

Language β„’ βŠ† 𝔾5, for finite field 𝔾.

𝑦* ∈ 𝔾5 𝑦, ∈ 𝔾5

Verifier π‘Š

*

Verifier π‘Š

,

𝑦 ∈ 𝔾5

for 𝑦 = 𝑦* + 𝑦,

slide-10
SLIDE 10

ZK proofs on distributed data

Applications and prior implicit constructions

44

Com Communic ication ion Cos Cost

Ap Applic icat ation ion La Langu guage ge β„’

Pr Prior Th This wor

  • rk

PIR writing, private messaging

[OS97], [BGI16], Riposte, …

Weight-one vectors in 𝔾5

Ξ©(π‘œ) 𝑃(1)

Private statistics, private ad targeting

Adnostic, Adscale, Prio, …

0,1 5 βŠ† 𝔾5

for large 𝔾

Ξ©(π‘œ) 𝑃(log π‘œ)

Al Also: New application to malicious-secure MPC.

slide-11
SLIDE 11

ZK proofs on distributed data

Applications and prior implicit constructions

45

Com Communic ication ion Cos Cost

Ap Applic icat ation ion La Langu guage ge β„’

Pr Prior Th This wor

  • rk

PIR writing, private messaging

[OS97], [BGI16], Riposte, …

Weight-one vectors in 𝔾5

Ξ©(π‘œ) 𝑃(1)

Private statistics, private ad targeting

Adnostic, Adscale, Prio, …

0,1 5 βŠ† 𝔾5

for large 𝔾

Ξ©(π‘œ) 𝑃(log π‘œ)

Al Also: New application to malicious-secure MPC. Used in the Firefox browser

slide-12
SLIDE 12

ZK proofs on distributed data

Applications and prior implicit constructions

46

Com Communic ication ion Cos Cost

Ap Applic icat ation ion La Langu guage ge β„’

Pr Prior Th This wor

  • rk

PIR writing, private messaging

[OS97], [BGI16], Riposte, …

Weight-one vectors in 𝔾5

Ξ©(π‘œ) 𝑃(1)

Private statistics, private ad targeting

Adnostic, Adscale, Prio, …

0,1 5 βŠ† 𝔾5

for large 𝔾

Ξ©(π‘œ) 𝑃(log π‘œ)

Al Also: New application to malicious-secure MPC.

slide-13
SLIDE 13

Selected results: New ZK proofs

Let 𝔾 be a finite field. Let β„’ βŠ† 𝔾5 be a language. (π‘œ β‰ͺ 𝔾)

47

Th Theorem.

  • m. If β„’ is recognized by circuits of size |𝓓|, there is a

public-coin ZK proof on distributed data for β„’ with:

  • 𝑃(1) rounds and
  • communication cost 𝑷(|𝓓|). (elements of 𝔾)

Th Theorem.

  • m. If β„’ has a de

degre gree-tw two arithmetic circuit, there is a public-coin ZK proof on distributed data for β„’ with:

  • 𝑃(log π‘œ) rounds and
  • communication cost 𝑷(𝐦𝐩𝐑 𝒐). (Improves: Ξ©(π‘œ) [BC17])
slide-14
SLIDE 14

Selected results: New ZK proofs

Let 𝔾 be a finite field. Let β„’ βŠ† 𝔾5 be a language. (π‘œ β‰ͺ 𝔾)

48

Th Theorem.

  • m. If β„’ is recognized by circuits of size |𝓓|, there is a

public-coin ZK proof on distributed data for β„’ with:

  • 𝑃(1) rounds and
  • communication cost 𝑷(|𝓓|). (elements of 𝔾)

Th Theorem.

  • m. If β„’ has a de

degre gree-tw two arithmetic circuit, there is a public-coin ZK proof on distributed data for β„’ with:

  • 𝑃(log π‘œ) rounds and
  • communication cost 𝑷(𝐦𝐩𝐑 𝒐). (Improves: Ξ©(π‘œ) [BC17])
  • Generalizes special-purpose schemes. [CB17]
  • Non-trivial extension to setting in which

prover and some verifiers collude.

slide-15
SLIDE 15

Selected results: New ZK proofs

Let 𝔾 be a finite field. Let β„’ βŠ† 𝔾5 be a language. (π‘œ β‰ͺ 𝔾)

49

Th Theorem.

  • m. If β„’ is recognized by circuits of size |𝓓|, there is a

public-coin ZK proof on distributed data for β„’ with:

  • 𝑃(1) rounds and
  • communication cost 𝑷(|𝓓|). (elements of 𝔾)

Th Theorem.

  • m. If β„’ has a de

degre gree-tw two arithmetic circuit, there is a public-coin ZK proof on distributed data for β„’ with:

  • 𝑃(log π‘œ) rounds and
  • communication cost 𝑷(𝐦𝐩𝐑 𝒐). (Improves: Ξ©(π‘œ) [BC17])
slide-16
SLIDE 16

Selected results: New ZK proofs

Let 𝔾 be a finite field. Let β„’ βŠ† 𝔾5 be a language. (π‘œ β‰ͺ 𝔾)

50

Th Theorem.

  • m. If β„’ is recognized by circuits of size |𝓓|, there is a

public-coin ZK proof on distributed data for β„’ with:

  • 𝑃(1) rounds and
  • communication cost 𝑷(|𝓓|). (elements of 𝔾)

Th Theorem.

  • m. If β„’ has a de

degre gree-tw two arithmetic circuit, there is a public-coin ZK proof on distributed data for β„’ with:

  • 𝑃(log π‘œ) rounds and
  • communication cost 𝑷(𝐦𝐩𝐑 𝒐). (Improves: Ξ©(π‘œ) [BC17])
slide-17
SLIDE 17

Selected results: New ZK proofs

Let 𝔾 be a finite field. Let β„’ βŠ† 𝔾5 be a language. (π‘œ β‰ͺ 𝔾)

51

Th Theorem.

  • m. If β„’ is recognized by circuits of size |𝓓|, there is a

public-coin ZK proof on distributed data for β„’ with:

  • 𝑃(1) rounds and
  • communication cost 𝑷(|𝓓|). (elements of 𝔾)

Th Theorem.

  • m. If β„’ has a de

degre gree-tw two arithmetic circuit, there is a public-coin ZK proof on distributed data for β„’ with:

  • 𝑃(log π‘œ) rounds and
  • communication cost 𝑷(𝐦𝐩𝐑 𝒐). (Improves: Ξ©(π‘œ) [BC17])

𝒍 𝒐𝑷 𝟐/𝒍

slide-18
SLIDE 18

Selected results: New ZK proofs

Let 𝔾 be a finite field. Let β„’ βŠ† 𝔾5 be a language. (π‘œ β‰ͺ 𝔾)

52

Th Theorem.

  • m. If β„’ is recognized by circuits of size |𝓓|, there is a

public-coin ZK proof on distributed data for β„’ with:

  • 𝑃(1) rounds and
  • communication cost 𝑷(|𝓓|). (elements of 𝔾)

Th Theorem.

  • m. If β„’ has a de

degre gree-tw two arithmetic circuit, there is a public-coin ZK proof on distributed data for β„’ with:

  • 𝑃(log π‘œ) rounds and
  • communication cost 𝑷(𝐦𝐩𝐑 𝒐). (Improves: Ξ©(π‘œ) [BC17])

Our proofs apply to a much larger class

  • f β€œstructured” languages (see paper)
  • Circuits with degree 𝑃(1) or repetition or …

𝒍 𝒐𝑷 𝟐/𝒍

slide-19
SLIDE 19

Th This s talk

  • ZK

ZK proofs on distr tribute ted data ata

  • Fully linear PCPs
  • Application: Three-party computation

53

slide-20
SLIDE 20

Th This s talk

  • ZK proofs on distributed data
  • Ful

Fully linea inear r PCPs

  • Application: Three-party computation

54

slide-21
SLIDE 21

Constructing ZK proofs on distributed data

Ste Step 1.

  • 1. Define β€œfully linear PCPs”
  • A strengthening of linear PCPs [IKO07]
  • We then show:

Ste Step 2

  • 2. Construct new fully linear PCPs

55

Efficient fully linear PCP for β„’ Efficient ZK proof on distributed data for β„’

implies

slide-22
SLIDE 22

Linear probabilistically checkable proofs (PCPs)

[IKO07]

56

β€œπ’š ∈ ℒ”

𝝆 ∈ 𝔾K

LPCP Verifier

query q ∈ 𝔾K answer 𝑏 = q, 𝝆 ∈ 𝔾

Finite field 𝔾, language β„’ βŠ† 𝔾5 Li Linear r PCP pro roof is a vector 𝝆. Li Linear r PCP veri rifier – takes π’š as input, – makes 𝑃(1) linear queries to 𝝆. Must satisfy notions of completeness, soundness, and zero knowledge. π’š ∈ 𝔾5

slide-23
SLIDE 23

Fully linear probabilistically checkable proofs (PCPs)

[This work]

57

𝝆 ∈ 𝔾K

π’š ∈ 𝔾5

query q ∈ 𝔾5NK answer 𝑏 = q, π’šβ€–π† ∈ 𝔾

Finite field 𝔾, language β„’ βŠ† 𝔾5 Fu Fully lin linear PCP CP proof

  • of is a vector 𝝆.

Fu Fully lin linear PCP CP verif ifie ier – takes π’š as input, – makes 𝑃(1) linear queries to (π’šβ€–π†). Must satisfy notions of completeness, soundness, and zero knowledge.

β€œπ’š ∈ ℒ”

FLPCP Verifier

slide-24
SLIDE 24

If language β„’ has an efficient fully linear PCP, it has an efficient ZK proof on distributed data.

58

Verifier π‘Š

*

Verifier π‘Š

,

π’šπŸ ∈ 𝔾5/, π’šπŸ‘ ∈ 𝔾5/,

Prover

  • 1. Generate FLPCP proof and split it using secret sharing.

π’šπŸβ€–π’šπŸ‘ ∈ β„’

slide-25
SLIDE 25

If language β„’ has an efficient fully linear PCP, it has an efficient ZK proof on distributed data.

59

Verifier π‘Š

*

Verifier π‘Š

,

π’šπŸ ∈ 𝔾5/, π’šπŸ‘ ∈ 𝔾5/, 𝝆

Prover

  • 1. Generate FLPCP proof and split it using secret sharing.

π’šπŸβ€–π’šπŸ‘ ∈ β„’

slide-26
SLIDE 26

If language β„’ has an efficient fully linear PCP, it has an efficient ZK proof on distributed data.

60

Verifier π‘Š

*

Verifier π‘Š

,

π’šπŸ ∈ 𝔾5/, π†πŸ π’šπŸ‘ ∈ 𝔾5/, π†πŸ‘ 𝝆

= +

Prover

  • 1. Generate FLPCP proof and split it using secret sharing.

π’šπŸβ€–π’šπŸ‘ ∈ β„’

slide-27
SLIDE 27

If language β„’ has an efficient fully linear PCP, it has an efficient ZK proof on distributed data.

61

Verifier π‘Š

*

Verifier π‘Š

,

π’šπŸ ∈ 𝔾5/, π†πŸ π’šπŸ‘ ∈ 𝔾5/, π†πŸ‘ 𝝆

= +

Prover

  • 1. Generate FLPCP proof and split it using secret sharing.

π’šπŸβ€–π’šπŸ‘ ∈ β„’

slide-28
SLIDE 28

If language β„’ has an efficient fully linear PCP, it has an efficient ZK proof on distributed data.

62

Verifier π‘Š

*

Verifier π‘Š

,

π’šπŸ ∈ 𝔾5/, π’šπŸ‘ ∈ 𝔾5/, π†πŸ π†πŸ‘

  • 2. Sample query vectors using common randomness.
slide-29
SLIDE 29

If language β„’ has an efficient fully linear PCP, it has an efficient ZK proof on distributed data.

63

5 1 2 | 7 | 4 | 9 Query 𝐫 = Verifier π‘Š

*

Verifier π‘Š

,

π’šπŸ ∈ 𝔾5/, π’šπŸ‘ ∈ 𝔾5/, π†πŸ π†πŸ‘

  • 2. Sample query vectors using common randomness.
slide-30
SLIDE 30

If language β„’ has an efficient fully linear PCP, it has an efficient ZK proof on distributed data.

64

Verifier π‘Š

*

Verifier π‘Š

,

π’šπŸ ∈ 𝔾5/, π’šπŸ‘ ∈ 𝔾5/, π†πŸ π†πŸ‘

  • 3. Publish shares of query answers and reconstruct.
slide-31
SLIDE 31

If language β„’ has an efficient fully linear PCP, it has an efficient ZK proof on distributed data.

65

Verifier π‘Š

*

Verifier π‘Š

,

π’šπŸ ∈ 𝔾5/, π’šπŸ‘ ∈ 𝔾5/, π†πŸ π†πŸ‘

q, π’šπŸ ‖𝝆* ∈ 𝔾

  • 3. Publish shares of query answers and reconstruct.

q, π’šπŸ‘β€–π†, ∈ 𝔾

+

slide-32
SLIDE 32

If language β„’ has an efficient fully linear PCP, it has an efficient ZK proof on distributed data.

66

Verifier π‘Š

*

Verifier π‘Š

,

π’šπŸ ∈ 𝔾5/, π’šπŸ‘ ∈ 𝔾5/, π†πŸ π†πŸ‘

q, π’šπŸ ‖𝝆* ∈ 𝔾

  • 3. Publish shares of query answers and reconstruct.

q, π’šπŸ‘β€–π†, ∈ 𝔾

+

= q, π’šβ€–(𝝆* + π†πŸ‘) = q, π’šβ€–π† = answer

slide-33
SLIDE 33

If language β„’ has an efficient fully linear PCP, it has an efficient ZK proof on distributed data.

67

Verifier π‘Š

*

Verifier π‘Š

,

π’šπŸ ∈ 𝔾5/, π’šπŸ‘ ∈ 𝔾5/, π†πŸ π†πŸ‘

  • 4. Recover 𝑃 1 query answers, run FLPCP verifier.

π’ƒπŸ, … , 𝒃𝑷(𝟐)

slide-34
SLIDE 34

If language β„’ has an efficient fully linear PCP, it has an efficient ZK proof on distributed data.

68

Verifier π‘Š

*

Verifier π‘Š

,

π’šπŸ ∈ 𝔾5/, π’šπŸ‘ ∈ 𝔾5/, π†πŸ π†πŸ‘

  • 4. Recover 𝑃 1 query answers, run FLPCP verifier.

π’š ∈ β„’ π’š ∈ β„’ π’ƒπŸ, … , 𝒃𝑷(𝟐)

slide-35
SLIDE 35

If language β„’ has an efficient fully linear PCP, it has an efficient ZK proof on distributed data.

69

Verifier π‘Š

*

Verifier π‘Š

,

π’šπŸ ∈ 𝔾5/, π’šπŸ‘ ∈ 𝔾5/, π†πŸ π†πŸ‘

  • 4. Recover 𝑃 1 query answers, run FLPCP verifier.

π’š ∈ β„’ π’š ∈ β„’ π’ƒπŸ, … , 𝒃𝑷(𝟐)

Communication: 2 proof + 𝑃(1)

slide-36
SLIDE 36

Fully linear PCPs: Constructions

  • Many existing linear PCPs are also fully linear

–Linear PCPs [IKO07], Pepper [SMBW12], [GGPR13], [BCIOP13], … –Downside: for circuit size π’Ÿ , proof size Ξ©( π’Ÿ ).

  • We

We ge get t new w shorte ter proofs fs using g in interac eractio ion

–Applies to β€œstructured” languages

  • Ou

Our proofs fs are clo losely ly rela late ted d to to:

–Aaronson-Wigderson protocol in comm. complexity [AW09] –Interactive PCP and oracle proofs [KR08], [BCS16], [RRR16] –Sum-check-like proof systems [BFLS91], [GKR08], [W16]

70

slide-37
SLIDE 37

Verifier π‘Š

*

Short proofs for degree-two circuits

71

Prover

π’šπŸ ∈ 𝔾5/,

Verifier π‘Š

,

π’šπŸ‘ ∈ 𝔾5/,

Claims that (π’šπŸβ€–π’šπŸ‘) ∈ β„’ βŠ† 𝔾5 s.t. degree-two circuit computes β„’

slide-38
SLIDE 38

Verifier π‘Š

*

Short proofs for degree-two circuits

72

Prover

π’šπŸ ∈ 𝔾5/,

Verifier π‘Š

,

π’šπŸ‘ ∈ 𝔾5/, π†πŸ π†πŸ‘

Claims that (π’šπŸβ€–π’šπŸ‘) ∈ β„’ βŠ† 𝔾5 s.t. degree-two circuit computes β„’

slide-39
SLIDE 39

Verifier π‘Š

*

Short proofs for degree-two circuits

73

Prover

π’šπŸ ∈ 𝔾5/, π†πŸ

Verifier π‘Š

,

π’šπŸ‘ ∈ 𝔾5/, π†πŸ‘

slide-40
SLIDE 40

Verifier π‘Š

*

Short proofs for degree-two circuits

74

Prover

π’šπŸ ∈ 𝔾5/, π†πŸ

Verifier π‘Š

,

π’šπŸ‘ ∈ 𝔾5/, π†πŸ‘

To check proof: (1) apply a randomized linear map to (π’š, 𝝆) and (2) evaluate a degree-two circuit

  • n result.
slide-41
SLIDE 41

Verifier π‘Š

*

Short proofs for degree-two circuits

75

Prover

π’šπŸ ∈ 𝔾5/, π†πŸ

Verifier π‘Š

,

π’šπŸ‘ ∈ 𝔾5/, π†πŸ‘

slide-42
SLIDE 42

Verifier π‘Š

*

Short proofs for degree-two circuits

76

Prover

π’šπŸ ∈ 𝔾5/, π†πŸ

Verifier π‘Š

,

π’šπŸ‘ ∈ 𝔾5/, π†πŸ‘

Apply locally

π’šπŸβ€² ∈ 𝔾5/c Linear map π’šπŸ‘β€² ∈ 𝔾5/c Linear map

slide-43
SLIDE 43

Verifier π‘Š

*

Short proofs for degree-two circuits

77

Prover Verifier π‘Š

,

π’šπŸβ€² ∈ 𝔾5/c π’šπŸ‘β€² ∈ 𝔾5/c

slide-44
SLIDE 44

Verifier π‘Š

*

Short proofs for degree-two circuits

78

Prover Verifier π‘Š

,

π’šπŸβ€² ∈ 𝔾5/c π’šπŸ‘β€² ∈ 𝔾5/c

Need to check that π’Ÿ(𝑦*

d 𝑦, d

= 1, for a degree-two circuit π’Ÿ.

slide-45
SLIDE 45

Verifier π‘Š

*

Short proofs for degree-two circuits

79

Prover Verifier π‘Š

,

π’šπŸβ€² ∈ 𝔾5/c π’šπŸ‘β€² ∈ 𝔾5/c

Need to check that π’Ÿ(𝑦*

d 𝑦, d

= 1, for a degree-two circuit π’Ÿ.

  • Send coins to prover.
  • Invoke proof system

recursively.

slide-46
SLIDE 46

Th This s talk

  • ZK proofs on distributed data
  • Ful

Fully linea inear r PCPs

  • Application: Three-party computation

80

slide-47
SLIDE 47

Th This s talk

  • ZK proofs on distributed data
  • Fully linear PCPs
  • Appl

Applic ication: ion: Thr Three ee-pa party com comput putation ion

81

slide-48
SLIDE 48

Our results: Application to MPC

82

Th

  • Theorem. For any arithmetic circuit π’Ÿ over field 𝔾, there is

a secure three-party protocol for computing π’Ÿ that

  • Tolerates on
  • ne ma

malicious pa party rty

  • Is computationally secure with abort (assuming only PRGs)
  • Has amortized communication 𝟐 element of 𝔾 per party per gate.

Over β„€,

0Large fields

State of the art

πŸ– [ABFLLNOWW17], … 0πŸ‘ [CGHIKLN18], …

This work

𝟐 0𝟐

slide-49
SLIDE 49

Our results: Application to MPC

83

Th

  • Theorem. For any arithmetic circuit π’Ÿ over field 𝔾, there is

a secure three-party protocol for computing π’Ÿ that

  • Tolerates on
  • ne ma

malicious pa party rty

  • Is computationally secure with abort (assuming only PRGs)
  • Has amortized communication 𝟐 element of 𝔾 per party per gate.

Over β„€,

0Large fields

State of the art

πŸ– [ABFLLNOWW17], … 0πŸ‘ [CGHIKLN18], …

This work

𝟐 0𝟐

slide-50
SLIDE 50

Our results: Application to MPC

84

Th

  • Theorem. For any arithmetic circuit π’Ÿ over field 𝔾, there is

a secure three-party protocol for computing π’Ÿ that

  • Tolerates on
  • ne ma

malicious pa party rty

  • Is computationally secure with abort (assuming only PRGs)
  • Has amortized communication 𝟐 element of 𝔾 per party per gate.

Over β„€,

0Large fields

State of the art

πŸ– [ABFLLNOWW17], … 0πŸ‘ [CGHIKLN18], …

This work

𝟐 0𝟐

Matches cost of best 3PC with semi-honest security

[AFLNO16]

slide-51
SLIDE 51

Our results: Application to MPC

85

Th

  • Theorem. For any arithmetic circuit π’Ÿ over field 𝔾, there is

a secure three-party protocol for computing π’Ÿ that

  • Tolerates on
  • ne ma

malicious pa party rty

  • Is computationally secure with abort (assuming only PRGs)
  • Has amortized communication 𝟐 element of 𝔾 per party per gate.

Over β„€,

0Large fields

State of the art

πŸ– [ABFLLNOWW17], … 0πŸ‘ [CGHIKLN18], …

This work

𝟐 0𝟐

slide-52
SLIDE 52

We use a semi-honest MPC protocol Ξ¦ that has two extra properties…

I.

  • I. Pro

Protocol re reve veal als nothin ing until il the las ast me messag age.

– Holds even if some parties are malicious. – Malicious behavior at last message can only cause abort.

II.

  • II. Ch

Chec eckab able e by a a deg egree ree-two two rela lati tion.

Each of player 𝑗’s messages is a degree-two function of:

  • 1. player 𝑗’s input and
  • 2. the messages that player 𝑗 has received so far.

Can instantiate with existing protocols: [AFLNO16], [KKW18], …

86

slide-53
SLIDE 53

Overview of 3PC our protocol

1.

  • 1. Run semi-honest MPC protocol Ξ¦

87

Pl Playe yer 1 Pl Playe yer 2 Pl Playe yer 3

Pl Play ayers rs ha halt be before pu publishi shing ng the he last st pr protocol messa ssage

slide-54
SLIDE 54

Overview of 3PC our protocol

2.

  • 2. Prove that messages complied with Ξ¦

88

Pl Playe yer 1 Pl Playe yer 2 Pl Playe yer 3

slide-55
SLIDE 55

Overview of 3PC our protocol

2.

  • 2. Prove that messages complied with Ξ¦

89

Pl Playe yer 1 Pl Playe yer 2 Pl Playe yer 3

β€œThe messages I sent you both observed the protocol Φ”

slide-56
SLIDE 56

Overview of 3PC our protocol

2.

  • 2. Prove that messages complied with Ξ¦

90

Pl Playe yer 1 Pl Playe yer 2 Pl Playe yer 3

β€œThe messages I sent you both observed the protocol Φ” This is a ZK proof on di distribu buted da d data:

  • Messages that player 1 sent

are split across players 2 and 3

  • The language is recognized by

a de degr gree-tw two circuit

slide-57
SLIDE 57

Overview of 3PC our protocol

2.

  • 2. Prove that messages complied with Ξ¦

91

Pl Playe yer 1 Pl Playe yer 2 Pl Playe yer 3

β€œThe messages I sent you both observed the protocol Φ”

slide-58
SLIDE 58

Overview of 3PC our protocol

2.

  • 2. Prove that messages complied with Ξ¦

92

Pl Playe yer 1 Pl Playe yer 2 Pl Playe yer 3

β€œThe messages I sent you both observed the protocol Φ”

slide-59
SLIDE 59

Overview of 3PC our protocol

2.

  • 2. Prove that messages complied with Ξ¦

93

Pl Playe yer 1 Pl Playe yer 2 Pl Playe yer 3

slide-60
SLIDE 60

Overview of 3PC our protocol

2.

  • 2. Prove that messages complied with Ξ¦

94

Pl Playe yer 1 Pl Playe yer 2 Pl Playe yer 3

β€œThe messages I sent you both observed the protocol Φ”

slide-61
SLIDE 61

Overview of 3PC our protocol

2.

  • 2. Prove that messages complied with Ξ¦

95

Pl Playe yer 1 Pl Playe yer 2 Pl Playe yer 3

slide-62
SLIDE 62

Overview of 3PC our protocol

2.

  • 2. Prove that messages complied with Ξ¦

96

Pl Playe yer 1 Pl Playe yer 2 Pl Playe yer 3

Communication: 𝑃(log π’Ÿ ) per player Possible with our new ZK proofs on distributed data for degree-two relations

slide-63
SLIDE 63

Overview of 3PC our protocol

3.

  • 3. Rev

Revea eal last message to recover output

97

Pl Playe yer 2 Pl Playe yer 1 De Deal aler

slide-64
SLIDE 64

Summary of our three-party protocol

Com Communicat ation

  • n cos
  • st per

er play ayer er

(field elements)

Messages from Ξ¦ π’Ÿ + 𝑝(|π’Ÿ|) Proofs 𝑃(log |π’Ÿ|) TOTAL π’Ÿ + 𝑝( π’Ÿ ) …per gate: 𝟐 + 𝒑(𝟐) Generalizations:

[S [See p paper]

– to 𝑃(1)-parties with honest majority – to arbitrary rings β„€,k

98

slide-65
SLIDE 65

Comparison to GMW compiler [GMW87]

Like GMW, our compiler converts: Se Semi-ho hone nest 𝚾 β†’ Ma Malici cious-sec secur ure e 𝚾 Differences:

  • GMW uses β€œmessage-by-message” ZK proofs.

We use one big (but sublinear-size) proof at the end.

  • GMW requires assumptions/commitments.

Our compiler is information theoretically secure.

  • GMW requires that all players see all messages (br

broadc dcast st channel el). With distributed ZK, can use po point-to to-po point chan annels.

99

slide-66
SLIDE 66

Summary: ZK proofs on distributed data

  • One prover, multiple verifiers, each with different input

– Protocol hides verifiers’ inputs from each other

  • Proofs are information theoretic and lightweight
  • Ne

New key tool: Fully linear proof systems

– Can unify with sum-check-based proofs? [GKR08], [CTY11], [T16], …

  • Ap

Applic icat ation ions: MPC, privacy-preserving systems, …

– Also to other models of distributed proof? [KOS18], [NPY18], …

Dan Boneh, Elette Boyle, Henry Corrigan-Gibbs, Niv Gilboa, Yuval Ishai https://eprint.iacr.org/2019/188

slide-67
SLIDE 67

101