Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, - - PowerPoint PPT Presentation

zero knowledge arguments
SMART_READER_LITE
LIVE PREVIEW

Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, - - PowerPoint PPT Presentation

Mar 29, 2023 370 likes •713 views

Sub-Linear Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli, Rafael del Pino, Jens Groth and Vadim Lyubashevsky Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits 2

slide-1
SLIDE 1

Sub-Linear Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits

Carsten Baum, Jonathan Bootle, Andrea Cerulli, Rafael del Pino, Jens Groth and Vadim Lyubashevsky

slide-2
SLIDE 2

Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits

2

slide-3
SLIDE 3

Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits

Commitment/hash from SIS:

  • Binding/collision resistant by SIS
  • Hiding by Leftover Hash Lemma
  • Homomorphic
  • Compressing [A96]

3

=

slide-4
SLIDE 4

Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits

4

Prover Verifier Witness Statement

slide-5
SLIDE 5

Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits

5

Prover Verifier Witness Statement

slide-6
SLIDE 6

Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits

6

Prover Verifier Statement

Completeness: An honest prover convinces the verifier.

slide-7
SLIDE 7

Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits

7

Statement Prover Verifier

Soundness: A dishonest prover never convinces the verifier. Computational guarantee

  • > argument

Completeness: An honest prover convinces the verifier.

slide-8
SLIDE 8

Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits

8

Statement Prover Verifier

Completeness: An honest prover convinces the verifier. Knowledge Soundness: The prover must know a witness to convince the verifier.

  • > Proof/argument
  • f knowledge
slide-9
SLIDE 9

Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits

9

Statement

Zero-knowledge: Nothing but the truth of the statement is revealed.

Prover Verifier

Completeness: An honest prover convinces the verifier.

Witness

Knowledge Soundness: The prover must know a witness to convince the verifier.

  • > Proof/argument
  • f knowledge
slide-10
SLIDE 10

Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits

10

Statement 3 Witness

Why arithmetic circuits?

  • C to circuit compilers
  • Models cryptographic

computations

  • Witness existence? NP-Complete
slide-11
SLIDE 11

Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits

11

Prover Verifier

Prover Computation Verifier Computation Communication Cryptographic Assumption

Statement

Interaction

slide-12
SLIDE 12

Results Table

Expected # Moves Communication Prover Complexity Verifier Complexity [DL12] [BKLP15] This Work

12

slide-13
SLIDE 13

Arithmetic Circuit Argument

13

Arithmetic Circuits Matrix Equations Polynomials Commitments Protocol Extension Fields Proof of Knowledge Rejection Sampling

The interesting parts Featured in prior works DLOG Protocols Information Theoretic Proofs

slide-14
SLIDE 14

Proof of Knowledge

14

Statement Witness

slide-15
SLIDE 15

Proof of Knowledge

15

slide-16
SLIDE 16

Typical Proofs of Knowledge

16

Completeness: Knowledge Soundness:

Soundness Slack None for us*

slide-17
SLIDE 17

Simplistic Protocol

P V

Rejection Sampling

17

slide-18
SLIDE 18

Our Protocol

18

slide-19
SLIDE 19

Our Protocol

19

slide-20
SLIDE 20

Proof-of-Knowledge Performance

20

Expected # Moves Communication Prover Complexity Verifier Complexity [BDLN16] [CDXY17] This Work This Work

slide-21
SLIDE 21

Arithmetic Circuit Argument

21

Arithmetic Circuits Matrix Equations Polynomials Commitments Protocol Extension Fields Proof of Knowledge Rejection Sampling

slide-22
SLIDE 22

High Level Structure

O + = = L R O

5 15 7 12 180

3 15 5 5 12 7 15

180

12

22

slide-23
SLIDE 23

High Level Structure

O + = = L R O

5 15 7 12 180

3 15 5 5 12 7 15

180

12

23

slide-24
SLIDE 24

High Level Structure

O

+

= = L R O

24

slide-25
SLIDE 25

High Level Structure

O

+

= = L R O

25

slide-26
SLIDE 26

Matrix Dimensions

~√N ~√N ~√N ~√N

26

slide-27
SLIDE 27

Paradigm from Previous Arguments

2 6 6 2 1 9 2 7 4 5 3 7 2 8 3 6 1 6 9 5 7 6 7 1 4 2 6 8 3 6 3 7 2 7 5 3 2 4 7 5 2 8 7 3 1 4 7 3

27

slide-28
SLIDE 28

Protocol Flow

P V

Check size bounds and linear combinations

, Proof of Knowledge

  • 1. Commit to wire values
  • 2. Commit to polynomial

coefficients

  • 3. Commit to mod p

correction factors

  • 4. Compute linear combinations, do

rejection sampling, proof of knowledge

slide-29
SLIDE 29

Protocol Flow

P

√N

V

√N √N , Proof of Knowledge √N √N O(1) O(1)

slide-30
SLIDE 30

Parameter Choice

30

p, arithmetic circuits modulo p maximum size of honest prover committed values maximum size of openings from knowledge-extractor binding space for SIS commitments q, modulus for SIS Polynomial- sized gap

slide-31
SLIDE 31

Additional Issues

31

Not negligible! Negligible!

Schwarz-Zippel Lemma:

Empty Empty Rubbish Rubbish

slide-32
SLIDE 32

32

slide-33
SLIDE 33

Thanks!

Expected # Moves Communication Prover Complexity Verifier Complexity

33

  • General Statements
  • Sub-linear proofs
  • Relies on SIS