ZERO KNOWLEDGE PROOFS Satya Lokam 15 Dec 2019 IndoCrypt 2019 - - PowerPoint PPT Presentation

zero knowledge proofs
SMART_READER_LITE
LIVE PREVIEW

ZERO KNOWLEDGE PROOFS Satya Lokam 15 Dec 2019 IndoCrypt 2019 - - PowerPoint PPT Presentation

May 23, 2023 254 likes •512 views

ZERO KNOWLEDGE PROOFS Satya Lokam 15 Dec 2019 IndoCrypt 2019 Akbar Birbal Games Akbar Verifier Prover Switch or not with prob. Claim: different colors Reject if wrong answer Answer yes or no to Else accept

slide-1
SLIDE 1

ZERO KNOWLEDGE PROOFS

Satya Lokam 15 Dec 2019

IndoCrypt 2019

slide-2
SLIDE 2

Akbar – Birbal Games

Prover Verifier

Akbar

  • Switch or not with prob. ½
  • Reject if wrong answer
  • Else accept

§ Claim: different colors § Answer yes or no to “switched?”

slide-3
SLIDE 3

Arthur – Merlin Games

Verifier Prover

  • Switch or not with prob. ½
  • Reject if wrong answer
  • Else accept

§ Claim: different colors § Answer yes or no to “switched?”

slide-4
SLIDE 4

Why is this a good proof?

  • Completeness: If Prover’s claim is correct, he succeeds in convincing an

untrusting verifier of his claim (with prob. 1)

  • If Birbal’s claim is correct, he always answers correctly, and Akbar will be

convinced that the balls are of different colors

  • Soundness: A cheating prover (trying to prove an incorrect claim), can
  • nly succeed with negligible probability in convincing the verifier, i.e.,

the verifier will catch a cheating prover with high probability

  • If Birbal is lying, he will fail with prob. ½ in each round and hence

Akbar will catch him with prob. Exponentially close to 1.

slide-5
SLIDE 5

Why is it Zero Knowledge?

  • Whatever (distribution of) responses Birbal gave to Akbar can be simulated by

Akbar without talking to Birbal

  • Simulator: can simulate verifier’s view of the world without interacting with the

prover, given the input and prover’s assertion

  • ⇒ Verifier did not learn anything from the prover, i.e., the proof is zero knowledge!
  • Existence of Simulator è Zero Knowledge
slide-6
SLIDE 6

Every problem in 𝑂𝑄 has a ZKP

Verifier

Akbar

Prover

§ 3-colorability (without revealing the coloring ) § Sudoku Puzzle (without revealing the solution ) § Good RSA Modulus 𝑂 = 𝑞 ⋅ 𝑟 (without revealing prime factors 𝑞 and 𝑟 ) [GMW ‘86]

slide-7
SLIDE 7

Correct execution of any (feasible) program 𝐷 has a ZKP

Verifier

Akbar

Prover

𝑦

input

𝑥

witness Circuit 𝐷

𝐷 𝑦, 𝑥 = 𝑧 ?

e.g., 𝑂 e.g., 𝑞, 𝑟

𝑦 𝑦, 𝑥

slide-8
SLIDE 8

ZKP of a good RSA modulus

Verifier

Akbar

Prover

? =

𝑂

𝑞 ⋅ 𝑟

𝑞𝑠𝑗𝑛𝑓? 𝑞𝑠𝑗𝑛𝑓?

𝑞 𝑞 𝑟 𝑟 𝑂

𝑂 𝑂, 𝑞, 𝑟

slide-9
SLIDE 9

Parameters of ZKP systems

ZKP Prover Complexity Proof Length Verifier Complexity Interaction Models Crypto Assumptions Setup Assumptions Generality

exp(n), poly(n), n log n, n . . .

  • No. of Rounds,

Interactive Oracle Noninteractive,

sqrt(n), log^c(n), O(1)

n, sqrt(n), log^c(n), O(1), . . . Trusted, CRS, SRS, Public CRH, DDH, BDH, KoE, Post-Quant

  • Arith. C,
  • Bool. C,

R1CS, QAP, QSP, IOP, MPC in head C prog, SQL, Range, Sigs, Enc,

slide-10
SLIDE 10

Zero Knowledge Proof Systems

  • Pinocchio [PGHR ‘13]
  • libSNARK [BCTV ‘14]
  • Ligero [AHIV ’17]
  • libSTARK [BBHR ’18]
  • BulletProofs [BBBPWM ’18]
  • Hyrax [WTsTW ’18]
  • Aurora [BCRSVW ’19]
  • Libra [XZZPS ‘19]
  • Spartan [S ’19]

§ Aurora: for circuits with ≈ 1𝑁 gates § Prover time 800 sec. § Proof size 200KB § Verifier time 8 sec. § Libra: 256×256 MatMul § Prover time 100 sec. § Proof size 10 KB § Verifier time 0.1 sec. § zCash deploys zkSNARKS § 288 bytes of proof per txn § 6 ms to verify per txn § 1 min to generate proof per txn § 896 MB fixed parameters Non- interactive Proofs

slide-11
SLIDE 11

C program

  • Arith. Ckt
  • Poly. Eqns

Sum Check Interactive Proof Non-interactive Proof Zero Knowledge Proof

Example flow to construct a zkSNARK

slide-12
SLIDE 12

ZKP’s for Blockchains Anonymity and Confidentiality

  • Monero – RingCT
  • BulletProofs – Range Proofs and more
  • Omniring – Range Proofs + Ring Sigs
  • zCash – zkSNARKS
  • Ethereum – zkSNARKS
  • . . .
slide-13
SLIDE 13

Conclusions (for the warm-up)

  • Significant progress bridging theory and practice
  • Powerful cryptographic tool with applications

within Crypto

  • Encryption, Sigs, Id Schemes, MPC
  • Privacy preserving technologies
  • Selective Disclosure, Policy Compliance,
  • Blockchains
  • anonymity and confidentiality in

cryptocurrencies

  • verify transactions, smart contracts, and block

formation

  • Complex tradeoffs pose challenges
  • Long way to go, e.g., performance, avoid trusted

set-up, etc.

Theory Practice

slide-14
SLIDE 14

Rest of the talk(s)

Outline

  • Basics and background
  • Simple examples
  • Two specific constructions

Tutorial, but …

  • Non-rigorous
  • Not a substitute for classroom and

reading papers

slide-15
SLIDE 15

Interactive Arguments/Proofs

From [WTsTW ’18]

𝒬 𝒲

slide-16
SLIDE 16

Zero Knowledge Proof/Argument

From [WTsTW ’18]

𝒯 𝒲

slide-17
SLIDE 17

ZKP for Graph 3-Coloring

  • Let 𝜓 be a 3-coloring of 𝐻
  • Randomly Permute the colors
  • 𝜃 𝑤 ≔ 𝜌(𝜓 𝑤 )
  • Send 𝜃 in n locked boxes; keep the keys
  • Sends the keys to boxes for 𝑣 and 𝑤
  • Uniformly select a random edge

(𝑣, 𝑤) of 𝐻

  • Open the boxes for 𝑣 and 𝑤
  • Accept iff they contain different

colors

slide-18
SLIDE 18

A ZKP of Discrete Log

  • Group 𝐻 = ⟨𝑕⟩ of prime order 𝑞. Let 𝑟 = 𝑞 − 1
  • Assumption: Decisional Diffie Hellman (DDH) is hard in 𝐻

knows 𝑧 and 𝑕

Claim: know 𝑦 in ℤK such that 𝑧 = 𝑕L

slide-19
SLIDE 19

A ZKP of Discrete Log

  • Pick 𝑠 in ℤK
  • 𝑓 = 𝑕M
  • 𝑡 = 𝑑𝑦 + 𝑠

𝑓 = 𝑕M

  • Pick 𝑑 ∈ ℤR
  • Verify:

𝑕S = 𝑓 ⋅ 𝑧T c 𝑡 = 𝑑𝑦 + 𝑠

slide-20
SLIDE 20
  • Pick 𝑠 ∈ ℤK
  • 𝑓 = 𝑕M
  • c = H(e)
  • s = cx+r

𝑓 = 𝑕M

  • Pick c in Z_q
  • Verify:

𝑕S = 𝑓 ⋅ 𝑧U V

s = cx + r

Non-Interactive ZK (Fiat-Shamir Paradigm)

slide-21
SLIDE 21

Homomorphic Commitments

  • Commitment like a sealed envelope/locked box : Commit and Open
  • Binding
  • Hiding
  • Pedersen Commitment
  • Generators g and h in G
  • Commit(x): C(x,r) := g^x . h^r
  • Open(C):= (x,r)
  • Additive Homomorphism
  • g^a . g^b = g^(a+b)
  • C(x1,r1).C(x2,r2) = C(x1+x2, r1+r2)
slide-22
SLIDE 22

Pedersen (Multi)Commitments

  • Knowledge of Opening
  • Equality of Committed Values
  • Proof of a Product Relationship
  • Proof of Dot Product

From [WTsTW ’18]

Some interesting properties

slide-23
SLIDE 23

Range Proofs

  • Balancing Blindfolded: Hide your money in the exponent!
  • Pedersen Vector Commitments
  • g = (g1, . . . , gn), h
  • Com(x) = h^r g^x = h^r. (g1^x1. … .gn^xn) = h^r. Π XYZ

[

gi^xi

  • Inner Product Proof
  • Prover claims he knows two vectors – committed as above – have a committed inner

product value

  • P := g^a.h^b.u^c, where c = <a,b> := ∑ 𝑏X𝑐X
  • Range check with Inner Product
  • V in [0,R] iff <v,2^r> = V, where R=2^r-1
  • v = (v1, v2, …., vr) such that V = v1.2^0+v2.2^1 + . . . +vr.2^{r-1},
  • 2^r = (2^0, 2^1, 2^2, …, 2^{r-1})
slide-24
SLIDE 24

Conclusions

  • ZKP’s a powerful cryptographic tool
  • Can provide anonymity and confidentiality in cryptocurrencies
  • Useful in blockchains in general to verify transactions, smart contracts, and

block formation while preserving privacy

  • Complex tradeoffs makes bridging the theory and applications challenging
  • Long way to go, e.g., performance, avoid trusted set-up, etc.
slide-25
SLIDE 25

THANK YOU!