zero knowledge proofs
play

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 - PowerPoint PPT Presentation

Nov 14, 2023 •144 likes •1.9k views

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive Proofs 2 Interactive Proofs Prover wants to convince verifier that x has some property 2 Interactive Proofs Prover wants to convince verifier

  1. An Example Why is this convincing? G* G* := ! (G 1 ) (random ! ) b random bit b if b=1, ! * := ! if b=0, ! * := ! o σ G*= ! *(G b )? ! * 12

  2. An Example Why is this convincing? If prover can answer both b’s for the same G* then G 0 ~G 1 G* G* := ! (G 1 ) (random ! ) b random bit b if b=1, ! * := ! if b=0, ! * := ! o σ G*= ! *(G b )? ! * 12

  3. An Example Why is this convincing? If prover can answer both b’s for the same G* then G 0 ~G 1 G* Otherwise, testing on a random b will leave prover stuck w.p. 1/2 G* := ! (G 1 ) (random ! ) b random bit b if b=1, ! * := ! if b=0, ! * := ! o σ G*= ! *(G b )? ! * 12

  4. An Example Why is this convincing? If prover can answer both b’s for the same G* then G 0 ~G 1 G* Otherwise, testing on a random b will leave prover stuck w.p. 1/2 G* := ! (G 1 ) Why ZK? (random ! ) b random bit b if b=1, ! * := ! if b=0, ! * := ! o σ G*= ! *(G b )? ! * 12

  5. An Example Why is this convincing? If prover can answer both b’s for the same G* then G 0 ~G 1 G* Otherwise, testing on a random b will leave prover stuck w.p. 1/2 G* := ! (G 1 ) Why ZK? (random ! ) b random bit Verifier’s view: random b b and ! * s.t. G*= ! *(G b ) if b=1, ! * := ! if b=0, ! * := ! o σ G*= ! *(G b )? ! * 12

  6. An Example Why is this convincing? If prover can answer both b’s for the same G* then G 0 ~G 1 G* Otherwise, testing on a random b will leave prover stuck w.p. 1/2 G* := ! (G 1 ) Why ZK? (random ! ) b random bit Verifier’s view: random b b and ! * s.t. G*= ! *(G b ) if b=1, ! * := ! if b=0, ! * := ! o σ Which he could have G*= ! *(G b )? generated by himself (whether G 0 ~G 1 or not) ! * 12

  7. Zero-Knowledge Proofs 13

  8. Zero-Knowledge Proofs Interactive Proof 13

  9. Zero-Knowledge Proofs Interactive Proof Complete and Sound 13

  10. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property: 13

  11. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property: 13

  12. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property: 13

  13. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property: Ah, got it! 42 13

  14. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property: Ah, got it! 42 13

  15. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property: Verifier’s view could have been “simulated” Ah, got it! 42 13

  16. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property: Verifier’s view could have been “simulated” Ah, got it! 42 13

  17. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property: Verifier’s view could have been “simulated” Ah, got it! 42 13

  18. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property: Verifier’s view could have been “simulated” L n i x Ah, got it! 42 13

  19. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property: Ah, got it! Verifier’s view could 42 have been “simulated” L n i x Ah, got it! 42 13

  20. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property: Ah, got it! Verifier’s view could 42 have been “simulated” L For every adversarial n i x Ah, got it! strategy, there exists 42 a simulation strategy 13

  21. ZK Property (in other pict’ s) x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL 14

  22. ZK Property (in other pict’ s) x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL 14

  23. ZK Property (in other pict’ s) x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL 14

  24. ZK Property (in other pict’ s) Classical definition uses simulation only for corrupt receiver; x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL 14

  25. ZK Property (in other pict’ s) Classical definition uses simulation only for corrupt receiver; and uses only standalone security: Environment gets only a transcript at the end x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL 14

  26. SIM ZK x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL 15

  27. SIM ZK • SIM-ZK would require simulation also when prover is corrupt x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL 15

  28. SIM ZK • SIM-ZK would require simulation also when prover is corrupt • Then simulator is a witness extractor x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL 15

  29. SIM ZK • SIM-ZK would require simulation also when prover is corrupt • Then simulator is a witness extractor • Adding this (in standalone) makes it a Proof of Knowledge x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL 15

  30. Results 16

  31. Results IP and ZK defined [GMR’85] 16

  32. Results IP and ZK defined [GMR’85] ZK for all NP languages [GMW’86] 16

  33. Results IP and ZK defined [GMR’85] ZK for all NP languages [GMW’86] Assuming one-way functions exist 16

  34. Results IP and ZK defined [GMR’85] ZK for all NP languages [GMW’86] Assuming one-way functions exist ZK for all of IP [BGGHKMR’88] 16

  35. Results IP and ZK defined [GMR’85] ZK for all NP languages [GMW’86] Assuming one-way functions exist ZK for all of IP [BGGHKMR’88] Everything that can be proven can be proven in zero-knowledge! (Assuming OWF) 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge https://en.wikipedia.org/wiki/Zero-knowledge_proof Protocols Zero Knowledge Proofs: An Illustrated Primer by M. Green. Part I: https://blog.cryptographyengineering.com/2014/11/27/ Jim

389 views • 18 slides
Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner TA: Malvin Gattinger October 22, 2014 1 / 27 Introduction Zero-knowledge proofs are proofs that yield nothing beyond the validity of the

415 views • 27 slides
Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a property about an element without revealing Lelantus ZCoins Zero-Knowledge protocol Prove that transactions are valid, without revealing

1.37k views • 72 slides
Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien Canard (1) , David Pointcheval (2) and Olivier Sanders (1 , 2) S (1) Orange Labs, Caen, France (2) Ecole Normale Sup erieure, Paris,

556 views • 31 slides
Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge Iftach Haitner, Tel Aviv University December 4, 2011 IP for GNI Part I Interactive Proofs IP for GNI Interactive Vs. Interactive Proofs Definition 1 (

1.51k views • 110 slides
Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos, Geoffroy Couteau 1 /11 Zero-Knowledge Proof prover verifier Complete: if P knows a solution, V accepts Sound: if there is no solution, P

1.25k views • 27 slides
Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle,

Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle,

Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle, Andrea Cerulli, Jens Groth, Sune Jakobsen, Mary Maller Zero-Knowledge Proofs for Statement Correct Program Execution Witness Prover Verifier

332 views • 32 slides
Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs Prover wants to convince verifier that x has some property Interactive Proofs Prover wants to convince verifier that x has some property i.e. x is in

3.29k views • 145 slides
Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019 Overview Recap Lelantus One e ffi cient

Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019 Overview Recap Lelantus One e ffi cient

Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019 Overview Recap Lelantus One e ffi cient way to do 1-in-N proofs zk-SNARKs A general way to prove anything in Zero-Knowledge (if you dont know how to do it any other way, use

3.26k views • 68 slides
Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne Broadbent (U. of Ottawa) arxiv:1911.07782 Quantum found. QZK Crypto TCS 2 / 19 Interactive proofs 3 / 19 Interactive proofs L NP P V 0

1.06k views • 89 slides
One-Shot Verifiable Encryption from Lattices Vadim Lyubashevsky and Gregory Neven IBM Research

One-Shot Verifiable Encryption from Lattices Vadim Lyubashevsky and Gregory Neven IBM Research

One-Shot Verifiable Encryption from Lattices Vadim Lyubashevsky and Gregory Neven IBM Research -- Zurich Zero-Knowledge Proofs Zero-Knowledge Proofs Relation f(s)=t, and want to prove knowledge of s Zero-Knowledge Proofs Relation f(s)=t, and

1.04k views • 72 slides
On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek

On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek

On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018 Round-Complexity of ZK-Proofs for NP 2 Round-Complexity of ZK-Proofs for NP 2 Round-Complexity of ZK-Proofs for NP

835 views • 56 slides
Zero Knowledge Proofs Muthuramakrishnan Venkitasubramaniam An example An example I (re)solved

Zero Knowledge Proofs Muthuramakrishnan Venkitasubramaniam An example An example I (re)solved

Zero Knowledge Proofs Muthuramakrishnan Venkitasubramaniam An example An example I (re)solved P vs NP? S I How? Here is the proof Can I convince someone the validity of something Clay without revealing the proof? Institute

619 views • 46 slides
Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs

Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs

Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs Flattening the computation x 4 + x + 2 = 86 Proof: We know so that (hint ) x x = 3 We can verify all basic operations (+,-,*,assignment) We

1.28k views • 62 slides
Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang

Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang

Indistinguishable Proofs of Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang ASIACRYPT 2016 8th December, Hanoi, Vietnam Motivation (ZK) Proofs of Knowledge - PoK Statement: Prover

984 views • 79 slides
Towards Interactive Belief, Knowledge & Provability: Possible Application to Zero-Knowledge

Towards Interactive Belief, Knowledge & Provability: Possible Application to Zero-Knowledge

Computer Laboratory Security Seminar Cambridge University Towards Interactive Belief, Knowledge & Provability: Possible Application to Zero-Knowledge Proofs Ph.D. Thesis Chapter 5 Simon Kramer December 18, 2007 Target audience:

496 views • 16 slides
Mobile Communications Chapter 8: Network Protocols/Mobile IP Motivation Problems Data

Mobile Communications Chapter 8: Network Protocols/Mobile IP Motivation Problems Data

Mobile Communications Chapter 8: Network Protocols/Mobile IP Motivation Problems Data transfer Micro mobility support Encapsulation DHCP Security Ad-hoc networks IPv6 Routing protocols Prof. Dr.-Ing. Jochen

984 views • 39 slides
Biovigilance Component Hemovigilance Overview 1 Welcome to the National Healthcare Safety

Biovigilance Component Hemovigilance Overview 1 Welcome to the National Healthcare Safety

Biovigilance Component Hemovigilance Overview 1 Welcome to the National Healthcare Safety Network Biovigilance Component Hemovigilance Overview! 1 Target Audience This session is designed for Those who will collect and analyze

603 views • 37 slides
Hur on We binar Se r ie s: Data Migr ation Date s, Re vise d Doc ume nts for Ne w

Hur on We binar Se r ie s: Data Migr ation Date s, Re vise d Doc ume nts for Ne w

Hur on We binar Se r ie s: Data Migr ation Date s, Re vise d Doc ume nts for Ne w Submissions, and Othe r Ne ws! Se pte mb e r 12, 2019 Da ta Mig ra tio n Da te s T opic s to I mpo rta nc e o f Ne w T e mpla te s Cove r Ne w Pro

293 views • 14 slides
Other Covered Units An environmental investigation revealed the index unit in a multi- unit

Other Covered Units An environmental investigation revealed the index unit in a multi- unit

EBLL Response in Public Housing: Other Covered Units An environmental investigation revealed the index unit in a multi- unit property has lead- based paint hazards What now? RESPONDING TO EBLLs: Other Covered Units Perform a risk

435 views • 12 slides
Local Area Networks and Medium Access Control Protocols Multiple Access Networks Broadcast

Local Area Networks and Medium Access Control Protocols Multiple Access Networks Broadcast

Local Area Networks and Medium Access Control Protocols Multiple Access Networks Broadcast and multiple access technologies are very common for LANs and for wireless settings. 3 2 4 1 Shared Multiple Access Medium 5 M 1

566 views • 55 slides
Information Complexity Density and Simulation of Protocols Himanshu Tyagi Indian Institute of

Information Complexity Density and Simulation of Protocols Himanshu Tyagi Indian Institute of

Information Complexity Density and Simulation of Protocols Himanshu Tyagi Indian Institute of Science, Bangalore with Pramod Viswanath (UIUC), Shaileshh Venkatakrishnan (UIUC), and Shun Watanabe (TUAT) Private Coin Interactive Protocols X Y

767 views • 43 slides
Monotonic Concession Protocols for Multilateral Negotiation Ulle Endriss Institute for Logic,

Monotonic Concession Protocols for Multilateral Negotiation Ulle Endriss Institute for Logic,

Monotonic Concession Protocols for Multilateral Negotiation AAMAS-2006 Monotonic Concession Protocols for Multilateral Negotiation Ulle Endriss Institute for Logic, Language and Computation University of Amsterdam Ulle Endriss 1 Monotonic

107 views • 10 slides
ASHEVILLE CARES STAY SAFE PLEDGE RESIDENTS NOT READY FOR TOURISTS Source: SMARInsights Domestic

ASHEVILLE CARES STAY SAFE PLEDGE RESIDENTS NOT READY FOR TOURISTS Source: SMARInsights Domestic

ASHEVILLE CARES STAY SAFE PLEDGE RESIDENTS NOT READY FOR TOURISTS Source: SMARInsights Domestic Leisure Traveler Sentiment COVID SANITIZING MOST IMPORTANT 85% of consumers say that knowing the cleaning and sanitizing protocols for a city and

478 views • 30 slides

More recommend