ZERO KNOWLEDGE PROOFS Satya Lokam 15 Dec 2019 IndoCrypt 2019 - PowerPoint PPT Presentation

ZERO KNOWLEDGE PROOFS Satya Lokam 15 Dec 2019 IndoCrypt 2019

Akbar – Birbal Games Akbar Verifier Prover Switch or not with prob. ½ § Claim: different colors • Reject if wrong answer § Answer yes or no to • Else accept “switched?” •

Arthur – Merlin Games Verifier Prover § Claim: different colors Switch or not with prob. ½ • § Answer yes or no to • Reject if wrong answer “switched?” Else accept •

Why is this a good proof? • Completeness: If Prover’s claim is correct, he succeeds in convincing an untrusting verifier of his claim (with prob. 1) • If Birbal’s claim is correct, he always answers correctly, and Akbar will be convinced that the balls are of different colors • Soundness: A cheating prover (trying to prove an incorrect claim), can only succeed with negligible probability in convincing the verifier, i.e., the verifier will catch a cheating prover with high probability • If Birbal is lying, he will fail with prob. ½ in each round and hence Akbar will catch him with prob. Exponentially close to 1.

Why is it Zero Knowledge? • Whatever (distribution of) responses Birbal gave to Akbar can be simulated by Akbar without talking to Birbal • Simulator: can simulate verifier’s view of the world without interacting with the prover, given the input and prover’s assertion • ⇒ Verifier did not learn anything from the prover, i.e., the proof is zero knowledge! • Existence of Simulator è Zero Knowledge

Every problem in 𝑂𝑄 has a ZKP [GMW ‘86] § 3-colorability (without revealing the coloring ) § Sudoku Puzzle (without revealing the solution ) Akbar Verifier Prover § Good RSA Modulus 𝑂 = 𝑞 ⋅ 𝑟 (without revealing prime factors 𝑞 and 𝑟 )

Correct execution of any (feasible) program 𝐷 has a ZKP 𝐷 𝑦, 𝑥 = 𝑧 ? Akbar Circuit 𝐷 Verifier 𝑦 Prover 𝑦, 𝑥 𝑦 𝑥 witness input e.g., 𝑂 e.g., 𝑞, 𝑟

ZKP of a good RSA modulus ∧ Akbar 𝑞 ⋅ 𝑟 Verifier ? 𝑂 𝑞𝑠𝑗𝑛𝑓? 𝑞𝑠𝑗𝑛𝑓? = Prover 𝑂 𝑂, 𝑞, 𝑟 𝑞 𝑟 𝑞 𝑟 𝑂

Parameters of ZKP systems Prover Proof Complexity Length sqrt(n), exp(n), poly(n), log^c(n), Verifier n log n, O(1) n, Complexity Interaction n sqrt(n), . . . No. of Rounds, log^c(n), Interactive Oracle O(1), . . . Noninteractive, ZKP CRH, DDH, Trusted, BDH, KoE, CRS, SRS, Crypto Post-Quant Public Setup Arith. C, Assumptions C prog, Assumptions Bool. C, SQL, R1CS, Range, QAP, Sigs, QSP, Enc, IOP, Generality MPC in head Models

Zero Knowledge Proof Systems § Aurora: for circuits with ≈ 1𝑁 gates • Pinocchio [PGHR ‘13] § Prover time 800 sec. • libSNARK [BCTV ‘14] § Proof size 200KB § Verifier time 8 sec. • Ligero [AHIV ’17] Non- • libSTARK [BBHR ’18] interactive § Libra: 256×256 MatMul Proofs § Prover time 100 sec. • BulletProofs [BBBPWM ’18] § Proof size 10 KB • Hyrax [WTsTW ’18] § Verifier time 0.1 sec. • Aurora [BCRSVW ’19] § zCash deploys zkSNARKS • Libra [XZZPS ‘19] § 288 bytes of proof per txn § 6 ms to verify per txn • Spartan [S ’19] § 1 min to generate proof per txn • … § 896 MB fixed parameters

Example flow to construct a zkSNARK Zero Knowledge Proof Non-interactive Proof Interactive Proof Sum Check Poly. Eqns Arith. Ckt C program

ZKP’s for Blockchains Anonymity and Confidentiality • Monero – RingCT • BulletProofs – Range Proofs and more • Omniring – Range Proofs + Ring Sigs • zCash – zkSNARKS • Ethereum – zkSNARKS • . . .

Conclusions (for the warm-up) • Significant progress bridging theory and practice • Powerful cryptographic tool with applications within Crypto • Encryption, Sigs, Id Schemes, MPC • Privacy preserving technologies • Selective Disclosure, Policy Compliance, • Blockchains • anonymity and confidentiality in Practice cryptocurrencies • verify transactions, smart contracts, and block formation Theory • Complex tradeoffs pose challenges • Long way to go, e.g., performance, avoid trusted set-up, etc.

Rest of the talk(s) Outline Tutorial, but … • Basics and background • Non-rigorous • Simple examples • Not a substitute for classroom and reading papers • Two specific constructions

Interactive Arguments/Proofs 𝒬 𝒲 From [WTsTW ’18]

Zero Knowledge Proof/Argument 𝒯 𝒲 From [WTsTW ’18]

ZKP for Graph 3-Coloring Uniformly select a random edge • Let 𝜓 be a 3-coloring of 𝐻 • (𝑣, 𝑤) of 𝐻 Randomly Permute the colors • Open the boxes for 𝑣 and 𝑤 • 𝜃 𝑤 ≔ 𝜌(𝜓 𝑤 ) • Accept iff they contain different • • Send 𝜃 in n locked boxes; keep the keys colors Sends the keys to boxes for 𝑣 and 𝑤 •

A ZKP of Discrete Log • Group 𝐻 = ⟨𝑕⟩ of prime order 𝑞 . Let 𝑟 = 𝑞 − 1 • Assumption: Decisional Diffie Hellman (DDH) is hard in 𝐻 knows 𝑧 and 𝑕 Claim: know 𝑦 in ℤ K such that 𝑧 = 𝑕 L

A ZKP of Discrete Log 𝑓 = 𝑕 M Pick 𝑠 in ℤ K • • Pick 𝑑 ∈ ℤ R 𝑓 = 𝑕 M • c • Verify: 𝑡 = 𝑑𝑦 + 𝑠 𝑕 S = 𝑓 ⋅ 𝑧 T • 𝑡 = 𝑑𝑦 + 𝑠

Non-Interactive ZK (Fiat-Shamir Paradigm) • Pick c in Z_q • Pick 𝑠 ∈ ℤ K 𝑓 = 𝑕 M • 𝑓 = 𝑕 M • Verify: • c = H(e) s = cx + r 𝑕 S = 𝑓 ⋅ 𝑧 U V • s = cx+r

Homomorphic Commitments • Commitment like a sealed envelope/locked box : Commit and Open • Binding • Hiding • Pedersen Commitment • Generators g and h in G • Commit(x): C(x,r) := g^x . h^r • Open(C):= (x,r) • Additive Homomorphism • g^a . g^b = g^(a+b) • C(x1,r1).C(x2,r2) = C(x1+x2, r1+r2)

Pedersen (Multi)Commitments Some interesting properties • Knowledge of Opening • Equality of Committed Values • Proof of a Product Relationship • Proof of Dot Product From [WTsTW ’18]

Range Proofs • Balancing Blindfolded: Hide your money in the exponent! • Pedersen Vector Commitments • g = (g1, . . . , gn), h [ • Com( x ) = h^r g ^ x = h^r. (g1^x1. … .gn^xn) = h^r. Π XYZ gi^xi • Inner Product Proof • Prover claims he knows two vectors – committed as above – have a committed inner product value • P := g ^ a.h ^ b. u^c , where c = <a,b> := ∑ 𝑏 X 𝑐 X • Range check with Inner Product • V in [0,R] iff < v , 2^r > = V, where R=2^r-1 • v = (v1, v2, …., vr) such that V = v1.2^0+v2.2^1 + . . . +vr.2^{r-1}, • 2^r = (2^0, 2^1, 2^2, …, 2^{r-1})

Conclusions • ZKP’s a powerful cryptographic tool • Can provide anonymity and confidentiality in cryptocurrencies • Useful in blockchains in general to verify transactions, smart contracts, and block formation while preserving privacy • Complex tradeoffs makes bridging the theory and applications challenging • Long way to go, e.g., performance, avoid trusted set-up, etc.

THANK YOU!