zero knowledge proofs ii zk snarks
play

Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019 Overview Recap - PowerPoint PPT Presentation

Jul 16, 2023 •2.47k likes •3.26k views

Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019 Overview Recap Lelantus One e ffi cient way to do 1-in-N proofs zk-SNARKs A general way to prove anything in Zero-Knowledge (if you dont know how to do it any other way, use

  1. Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019

  2. Overview • Recap Lelantus • One e ffi cient way to do 1-in-N proofs • zk-SNARKs • A general way to prove anything in Zero-Knowledge • (if you don’t know how to do it any other way, use zk-SNARKs)

  3. Used serial# e8fb04ab61cfdd9ab54d9b1 Lelantus ea6a1728b274a7e3c667523 cdcb04f2b45a6dd3c13e90c 050cf72a2c4ff1f4df4084a 5a35670340e4107632e4629 f59cc4cef45a8063e4afb65 2d28e9bb87f78a5c0b6b008 1c4433bd43daafa3806759b 4f587540daa9bcb002b3699 … hidden coins (Pedersen Commitments) JoinSplit Mint Spend Plaintext coins

  4. Lelantus Mint Proof: Pedersen Commitment valid hidden coins (Pedersen Commitments) Mint Plaintext coins

  5. Used serial# Lelantus e8fb04ab61cfdd9ab54d9b1 ea6a1728b274a7e3c667523 cdcb04f2b45a6dd3c13e90c Spend 050cf72a2c4ff1f4df4084a 5a35670340e4107632e4629 f59cc4cef45a8063e4afb65 2d28e9bb87f78a5c0b6b008 1c4433bd43daafa3806759b 4f587540daa9bcb002b3699 73f143adf73708de491ff9d hidden coins (Pedersen Commitments) … Spend Proof: Serial number amount Plaintext coins

  6. Used serial# Lelantus e8fb04ab61cfdd9ab54d9b1 ea6a1728b274a7e3c667523 cdcb04f2b45a6dd3c13e90c JoinSplit 050cf72a2c4ff1f4df4084a 5a35670340e4107632e4629 f59cc4cef45a8063e4afb65 2d28e9bb87f78a5c0b6b008 1c4433bd43daafa3806759b 4f587540daa9bcb002b3699 … hidden coins (Pedersen Commitments) JoinSplit

  7. Used serial# Lelantus e8fb04ab61cfdd9ab54d9b1 ea6a1728b274a7e3c667523 cdcb04f2b45a6dd3c13e90c JoinSplit 050cf72a2c4ff1f4df4084a 5a35670340e4107632e4629 f59cc4cef45a8063e4afb65 2d28e9bb87f78a5c0b6b008 1c4433bd43daafa3806759b 4f587540daa9bcb002b3699 a6e434bb929b8c4d9adf1fb … hidden coins (Pedersen Commitments) 1-in-N Input1

  8. Used serial# Lelantus e8fb04ab61cfdd9ab54d9b1 ea6a1728b274a7e3c667523 cdcb04f2b45a6dd3c13e90c JoinSplit 050cf72a2c4ff1f4df4084a 5a35670340e4107632e4629 f59cc4cef45a8063e4afb65 2d28e9bb87f78a5c0b6b008 1c4433bd43daafa3806759b 4f587540daa9bcb002b3699 a6e434bb929b8c4d9adf1fb 73f143adf73708de491ff9d hidden coins (Pedersen Commitments) … 1-in-N Input1 + Input2

  9. Used serial# Lelantus e8fb04ab61cfdd9ab54d9b1 ea6a1728b274a7e3c667523 cdcb04f2b45a6dd3c13e90c JoinSplit 050cf72a2c4ff1f4df4084a 5a35670340e4107632e4629 f59cc4cef45a8063e4afb65 2d28e9bb87f78a5c0b6b008 1c4433bd43daafa3806759b 4f587540daa9bcb002b3699 a6e434bb929b8c4d9adf1fb 73f143adf73708de491ff9d hidden coins (Pedersen Commitments) 95b96411c8dc99f6be2b443 … 1-in-N Input1 + Input2 + Input3

  10. Used serial# Lelantus e8fb04ab61cfdd9ab54d9b1 ea6a1728b274a7e3c667523 cdcb04f2b45a6dd3c13e90c JoinSplit 050cf72a2c4ff1f4df4084a 5a35670340e4107632e4629 f59cc4cef45a8063e4afb65 2d28e9bb87f78a5c0b6b008 1c4433bd43daafa3806759b 4f587540daa9bcb002b3699 a6e434bb929b8c4d9adf1fb 73f143adf73708de491ff9d hidden coins (Pedersen Commitments) 95b96411c8dc99f6be2b443 … Proof: valid Pedersen Commitment Input1 + Input2 + Input3 + Output1

  11. Used serial# Lelantus e8fb04ab61cfdd9ab54d9b1 ea6a1728b274a7e3c667523 cdcb04f2b45a6dd3c13e90c JoinSplit 050cf72a2c4ff1f4df4084a 5a35670340e4107632e4629 f59cc4cef45a8063e4afb65 2d28e9bb87f78a5c0b6b008 1c4433bd43daafa3806759b 4f587540daa9bcb002b3699 a6e434bb929b8c4d9adf1fb 73f143adf73708de491ff9d hidden coins (Pedersen Commitments) 95b96411c8dc99f6be2b443 … Proof: valid Pedersen Commitment Input1 + Input2 + Input3 + Output1 + Output2

  12. Used serial# Lelantus e8fb04ab61cfdd9ab54d9b1 ea6a1728b274a7e3c667523 cdcb04f2b45a6dd3c13e90c JoinSplit 050cf72a2c4ff1f4df4084a 5a35670340e4107632e4629 f59cc4cef45a8063e4afb65 2d28e9bb87f78a5c0b6b008 1c4433bd43daafa3806759b 4f587540daa9bcb002b3699 a6e434bb929b8c4d9adf1fb 73f143adf73708de491ff9d hidden coins (Pedersen Commitments) 95b96411c8dc99f6be2b443 … Input1 + Input2 + Input3 + Output1 + Output2 + ExtraCashOut

  13. Used serial# Lelantus e8fb04ab61cfdd9ab54d9b1 ea6a1728b274a7e3c667523 cdcb04f2b45a6dd3c13e90c JoinSplit 050cf72a2c4ff1f4df4084a 5a35670340e4107632e4629 f59cc4cef45a8063e4afb65 2d28e9bb87f78a5c0b6b008 1c4433bd43daafa3806759b 4f587540daa9bcb002b3699 a6e434bb929b8c4d9adf1fb 73f143adf73708de491ff9d hidden coins (Pedersen Commitments) 95b96411c8dc99f6be2b443 … Proof of valid transaction: ( c , d , α ) Input1 + Input2 + Input3 + Output1 + Output2 + ExtraCashOut=T If , then T can be described as a factor of only and : c = ℋ ( T | cT + dH + α F ) H F • does not have any components = no money was created or destroyed G

  14. Anonymous Cryptocurrencies 1-in-N proofs Pedersen Commitments 1-in-N proofs 1-in-N proofs

  15. zk-SNARKs Zero-Knowledge Succinct Non-Interactive Argument of Knowledge

  16. zk-SNARK • A general purpose zero-knowledge tool for any computation • Need to prove that you know the pre-image of a hash • => zk-SNARK • Need to build a secret cryptocurrency (e.g. Zerocoin) • => zk-SNARK • Need to prove that you know XYZ? • => zk-SNARK

  17. zk-SNARK • A general purpose zero-knowledge tool for any computation • Very useful, highly relevant, but quite complicated • We will give a high-level overview of how this works • a complete discussion could be an entire semester

  18. zk-SNARK • Perform the computation storing any intermediate value • All values of all variables, called the witness • We encode the witness as a polynomial function w ( x ) • We show that can divide , the constraint polynomial w ( x ) c ( x ) • Only if is the witness valid a ( x ) ⋅ w ( x ) = c ( x ) • If the witness is valid, the program was executed correctly

  19. zk-SNARK • The trick is showing a ( x ) ⋅ w ( x ) = c ( x ) • We show at a secret position a ( x ) ⋅ w ( x ) − c ( x ) = 0 x • Encode polynomials and position via ECC a , w , c x

  20. zk-SNARK • Alice wants to convince Bob that she executed a program • Alice creates the witness w ( x ) • Bob choses a position and verifies x eval a ( x eval ) − w ( x eval ) − c ( x eval ) = 0

  21. Evaluating two polynomials at a random position is enough to check for equality

  22. All that’s left to do • Represent the proof of executing a program as a proof that I know a divisor of a polynomial • Encode the proof in ECC w ( x ) a ( x ) = c ( x )

  23. Proof of Knowledge of Division • Points can be added and multiplied • given 3 points , I can A = aG , B = bB , C = cG , D = dG ax 3 + bx 2 + cx + d encode the polynomial x 3 A + x 2 B + xC + D • The details on how to do the polynomial checks are beyond the scope of today’s lecture

  24. Proof of execution • Computers run on hardware • Theoretically, we can simulate any program with looking at the binary circuits 1. Represent the computation as a binary circuit • Or algebraic circuit for pure math problems 2. Reduction to a Rank 1 Constraint System (R1CS) 3. Representation as a Quadratic Assignment Problem (QAP)

  25. Program Representation • Assume we want to prove that we know a value so that x x 4 + x + 2 = 86 (hint ) x = 3 • Other applications: • I know a value so that (proof of ℋ ( x ) = 23 d 23 e 1… x knowledge of preimage) • A secret blockchain: I know a transaction so that T • is the blockchain T • I know the private key/serial# of T • The output is not yet spend

  26. Flattening the computation x 4 + x + 2 = 86 Proof: We know so that (hint ) x x = 3 • We can verify all basic operations (+,-,*,assignment) • We need to represent the computation as a sequence of basic steps (possibly introducing temporary variables) + 1. a = x ⋅ x + 2. b = a ⋅ a × 3. c = b + x 4. out = c + 2 × × x x x 2 x x

  27. Flattening the computation x 4 + x + 2 = 86 Proof: We know so that (hint ) x x = 3 1. a = x ⋅ x operator 2. b = a ⋅ a R = O L ( ) ⋅ , + , − 3. c = b + x 4. out = c + 2 List of all variables: 1, x , a , b , c , out instead of as 1 2 basic unit for all constants

  28. Each operation as vector List of all variables: operator = L R O ( ) 1, x , a , b , c , out ⋅ , + , − We can generalize all operations using 3 vectors: . . . 1 1 1 . . . x x x = . . . a ⋅ a ⨂ ⨂ a ⨂ . . . b b b . . . c c c . . . out out out

  29. Each operation as vector List of all variables: operator = L R O ( ) 1, x , a , b , c , out ⋅ , + , − We can generalize all operations using 3 vectors: Multiplication: (Example ) a = x ⋅ x 0 0 0 1 1 1 1 0 1 x x x = 0 1 0 a ⋅ a ⨂ ⨂ a ⨂ 0 0 0 b b b 0 0 0 c c c 0 0 0 out out out 1 ⋅ x 1 ⋅ x ⋅ = a ⋅ 1

  30. Each operation as vector List of all variables: operator = L R O ( ) 1, x , a , b , c , out ⋅ , + , − We can generalize all operations using 3 vectors: Addition: (Example ) b = x + 7 7 0 1 1 1 1 1 0 0 x x x = 0 0 0 a ⋅ a ⨂ ⨂ a ⨂ 0 1 0 b b b 0 0 0 c c c 0 0 0 out out out (1 ⋅ 7) + ( x ⋅ 1) 1 ⋅ 1 ⋅ = b ⋅ 1

  31. Each operation as vector x 4 + x + 2 = 86 Proof: We know so that (hint ) x x = 3 1. a = x ⋅ x 2. b = a ⋅ a 3. 0 c = b + x 1 0 1 0 1 0 1 1 4. out = c + 2 x x x 1 0 0 a a a ⋅ = operator 0 0 0 b b b = L R O ( ) ⋅ , + , − 0 0 0 c c c 0 0 0 out out out List of all variables: 1, x , a , b , c , out

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs

Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs

Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs Flattening the computation x 4 + x + 2 = 86 Proof: We know so that (hint ) x x = 3 We can verify all basic operations (+,-,*,assignment) We

1.28k views • 62 slides
References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge https://en.wikipedia.org/wiki/Zero-knowledge_proof Protocols Zero Knowledge Proofs: An Illustrated Primer by M. Green. Part I: https://blog.cryptographyengineering.com/2014/11/27/ Jim

389 views • 18 slides
zk-SNARKs Panagiotis Grontas NTUA-advTCS 01/06/2017 1 / 68 (NTUA-advTCS) zk-SNARKs

zk-SNARKs Panagiotis Grontas NTUA-advTCS 01/06/2017 1 / 68 (NTUA-advTCS) zk-SNARKs

Introduction Prerequisites The Proof Applications References zk-SNARKs Panagiotis Grontas NTUA-advTCS 01/06/2017 1 / 68 (NTUA-advTCS) zk-SNARKs Introduction Effjciently verify the correctness of computations without executing

1.06k views • 68 slides
Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner TA: Malvin Gattinger October 22, 2014 1 / 27 Introduction Zero-knowledge proofs are proofs that yield nothing beyond the validity of the

415 views • 27 slides
Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive Proofs 2 Interactive Proofs Prover wants to convince verifier that x has some property 2 Interactive Proofs Prover wants to convince verifier

1.9k views • 174 slides
Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a property about an element without revealing Lelantus ZCoins Zero-Knowledge protocol Prove that transactions are valid, without revealing

1.37k views • 72 slides
Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien Canard (1) , David Pointcheval (2) and Olivier Sanders (1 , 2) S (1) Orange Labs, Caen, France (2) Ecole Normale Sup erieure, Paris,

556 views • 31 slides
Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge Iftach Haitner, Tel Aviv University December 4, 2011 IP for GNI Part I Interactive Proofs IP for GNI Interactive Vs. Interactive Proofs Definition 1 (

1.51k views • 110 slides
On the Security and Privacy of delegated computation Anca Nitulescu DI ENS - Cascade Outline

On the Security and Privacy of delegated computation Anca Nitulescu DI ENS - Cascade Outline

On the Security and Privacy of delegated computation Anca Nitulescu DI ENS - Cascade Outline Directions SNARKs Motivation Introduction Quantum SNARKs Arguments of Difficulties Knowledge Cloud Applications Computation SNARK Open

746 views • 61 slides
Some Recent SNARKs Saba Eskandarian Qualifying Exam Talk Come, listen, my men, while I tell

Some Recent SNARKs Saba Eskandarian Qualifying Exam Talk Come, listen, my men, while I tell

Some Recent SNARKs Saba Eskandarian Qualifying Exam Talk Come, listen, my men, while I tell you again What is a zk-SNARK? The five unmistakable marks By which you may know, wheresoever you go, Z ero- K nowledge The warranted genuine Snarks.

1.31k views • 103 slides
Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos, Geoffroy Couteau 1 /11 Zero-Knowledge Proof prover verifier Complete: if P knows a solution, V accepts Sound: if there is no solution, P

1.25k views • 27 slides
Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle,

Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle,

Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle, Andrea Cerulli, Jens Groth, Sune Jakobsen, Mary Maller Zero-Knowledge Proofs for Statement Correct Program Execution Witness Prover Verifier

332 views • 32 slides
Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs Prover wants to convince verifier that x has some property Interactive Proofs Prover wants to convince verifier that x has some property i.e. x is in

3.29k views • 145 slides
Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne Broadbent (U. of Ottawa) arxiv:1911.07782 Quantum found. QZK Crypto TCS 2 / 19 Interactive proofs 3 / 19 Interactive proofs L NP P V 0

1.06k views • 89 slides
One-Shot Verifiable Encryption from Lattices Vadim Lyubashevsky and Gregory Neven IBM Research

One-Shot Verifiable Encryption from Lattices Vadim Lyubashevsky and Gregory Neven IBM Research

One-Shot Verifiable Encryption from Lattices Vadim Lyubashevsky and Gregory Neven IBM Research -- Zurich Zero-Knowledge Proofs Zero-Knowledge Proofs Relation f(s)=t, and want to prove knowledge of s Zero-Knowledge Proofs Relation f(s)=t, and

1.04k views • 72 slides
On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek

On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek

On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018 Round-Complexity of ZK-Proofs for NP 2 Round-Complexity of ZK-Proofs for NP 2 Round-Complexity of ZK-Proofs for NP

835 views • 56 slides
Towards an Efficient Fault-Tolerance Scheme for GLB Claudia Fohry, Marco Bungart and Jonas Posner

Towards an Efficient Fault-Tolerance Scheme for GLB Claudia Fohry, Marco Bungart and Jonas Posner

GLB Fault Tolerance Scheme Experimental Results Towards an Efficient Fault-Tolerance Scheme for GLB Claudia Fohry, Marco Bungart and Jonas Posner Programming Languages / Methodologies June 14, 2015 1 / 18 GLB Fault Tolerance Scheme

744 views • 18 slides
Why Data Auditing is Important Arizona State Public Health Laboratory April 2019 Objectives

Why Data Auditing is Important Arizona State Public Health Laboratory April 2019 Objectives

Why Data Auditing is Important Arizona State Public Health Laboratory April 2019 Objectives Define data auditing Explain the importance of data auditing Data Auditing What does data mean to you? What is data auditing? When

648 views • 33 slides
Regulation, Div ersit y and Arbitrage Winslo w Strong Ph.D. Student at UC Santa Ba

Regulation, Div ersit y and Arbitrage Winslo w Strong Ph.D. Student at UC Santa Ba

Regulation, Div ersit y and Arbitrage Winslo w Strong Ph.D. Student at UC Santa Ba rba ra A dviso r: Jean-Pierre F ouque Third W estern Conferene in Mathematial Finane San ta Barbara, California No v em b er

612 views • 21 slides
Zerocash: addressing Bitcoin's privacy problem Alessandro Chiesa UC Berkeley 1 Bitcoin's

Zerocash: addressing Bitcoin's privacy problem Alessandro Chiesa UC Berkeley 1 Bitcoin's

Zerocash: addressing Bitcoin's privacy problem Alessandro Chiesa UC Berkeley 1 Bitcoin's Privacy Problem 2 Would you like a new credit card? You will pay almost no fees! Sure! Any fine print? We will publicly broadcast every payment that

473 views • 34 slides
The Command Line Toolbox A Crash Course on building your own CLI tools Michael Bates !" #$

The Command Line Toolbox A Crash Course on building your own CLI tools Michael Bates !" #$

The Command Line Toolbox A Crash Course on building your own CLI tools Michael Bates !" #$ Kentucky Swing Dance Learn Swift Louisville Organizer " Day job: Python & JS CLI tools: Swift Goals Learn Tips & Tricks

1.17k views • 88 slides
The bibliotek-o Framework: Principles, Patterns, and a Process for Community Engagement Folsom,

The bibliotek-o Framework: Principles, Patterns, and a Process for Community Engagement Folsom,

The bibliotek-o Framework: Principles, Patterns, and a Process for Community Engagement Folsom, Steven Kovari, Jason Younes, Rebecca Cornell University Cornell University Cornell University sf433@cornell.edu jak473@cornell.edu

395 views • 12 slides
CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco

CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco

CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco http://www.cs.usfca.edu/~keldefrawy/teaching /fall2019/cs683/cs683_main.htm 1 Privacy cy and Anonymity 2 Privacy Privacy and Society

869 views • 86 slides
11/16/15 iTunes U 1 11/16/15 2 11/16/15 $ " / # ) & & * " / $ #

11/16/15 iTunes U 1 11/16/15 2 11/16/15 $ " / # ) & & * " / $ #

11/16/15 iTunes U 1 11/16/15 2 11/16/15 $ " / # ) & & * " / $ # " . - , + ( * ) ( $ $ 2 $ ' & * & & $ % 1 # # " ! " . - # * " $ & . $ ( 0

240 views • 13 slides

More recommend