Zero-knowledge Arguments Proving circuit satisfaibility in - - PowerPoint PPT Presentation

Short Pairing-based Non-interactive Zero-knowledge Arguments

Proving circuit satisfaibility in zero-knowledge

Zero-knowledge

• In a zero knowledge protocol a prover can

convince a verifier that some statement is true without leaking any side information.

• The prover sends an argument (or arguments).
• The verifier gets said argument and decides if

it is a valid argument.

Non-interactive protocol

• Most zero-knowledge (ZK) protocols consist of

a discorse between the prover and verifier.

• Interactive protocols are problematic in case
• f multiple independent verifiers.
• In non-interactive protocol the prover is the
• nly one sending arguments.

Circuit satisfiability

• Given a Boolean circuit, the protocol will verify

that the prover has a satisfying assignment to the input variables.

• Since NAND is a universal gate, we need only

solve the problem for NAND circuits.

• In our protocol the assigned value of the wires

are committed in ZK.

Schematic description of the process

• The prover holds assignments to all the wires

in the circuit.

• A self loop will be added to the output wire of the

circuit – output = NAND(output, new_varible), forcing the output wire to be 1 (true) by consistency.

• The prover will commit the assignment values

via group elements.

The prover

NV a1 a2 a3 a4 b1 b2 b3 b4 u1 u3 u2

The commited arguments

by development order

• A general “knowledge argument” generator,

input is a vector of to-be-commited values,

• utput is 2 group elements.
• “Restricted argument” module, which is a

knowledge commitment for specific subsets of [1,...,q] (𝑟 = 𝑜2 + 3𝑜 − 2)

• “Product & Permutation arguments”-uses

restricted arguments. Proves consictency.

Representing circuits

• A circuit will be represented as an array of

NAND gates.

• Each NAND gate is a 3 wires tuple, while wires

are represented as their indexes.

Common reference string

• Generated by a trusted party, and can be

verified to be well-formed.

• Holds data used in both commitment and

verification (Groups description, generators, the mapping function and more).

• Contains the necessary group elements to bild

and verifiy the restricted arguments.

The verifier

• Will check consistency of the assignments via the

arguments using the homomorphic property of the group elements, and the CRS.

– All assigned values are in {0,1} to check for every value 𝑏 = 𝑏2. – All NAND gates are respected (𝑏𝑗𝑐𝑗 = 1 − 𝑣𝑗) (including the self loop). – Permutation property- wires of the same origin have same assignment. – More.

Security of the protocol

• To show the protocol is secure, one needs to

show the following:

– The prover can’t easily fool the varifier into thinking he has the assingments. – The varifier can’t easily learn the assingments (or any part of them) by the arguments sent to it.

• These can be proved using two assumtions:

q-PKE and q-CPDH.

Complexity

• In the protocol we implement the space complexity of

the sent arguments is constant (42 group elements).

• Space complexity of the CRS is quadric to the circuit

size- 𝑃(𝑜2).

• This is fine when CRS is not replaced often
• It is possible to make the CRS shorter, by making the

arguments longer. The optimal overall complexity will be 𝑃(𝑜

2 3)

• 𝑜 is the size of the NAND circuit (constant factor of the
• riginal circuit.)

Later Modifications

• Limpaa suggested using proggresion-free sets

and managed to improve the CRS length to a given argument length.

– For a constant size of argument length the CRS length is down to 𝑜1+𝜋 1 – For arguments of length Θ 𝑜

2 3 the CRS length is 𝑜 1 3+𝜋 1

– For arguments of length Θ 𝑜

1 2 the CRS length is 𝑜 1 2+𝜋 1

Our contribution

• We implement the basic protocol presented by

Groth.

• We will have two separate processes

representing the prover and the verifier.

• Both have access to a file containing the CRS.
• Arguments generated by the prover will be stored

in a file, which will be given as input to the verifier.

• The verifier will decide weather the prover

actualy has an assignment satisfying the circuit.

Testing method

• We will check the system by commiting to

both valid and invalid arguments. We will check whether the verifier manages to tell which is which.