Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Similar presentations


Presentation on theme: "Efficient Zero-Knowledge Proof Systems Jens Groth University College London."— Presentation transcript:

1 Efficient Zero-Knowledge Proof Systems Jens Groth University College London

2 Privacy and verifiability Hedge fundInvestor No! It is a trade secret. Did I lose all my money? Show me the current portfolio!

3 Zero-knowledge proof Statement ProverVerifier Witness  Soundness: Statement is true Zero-knowledge: Nothing but truth revealed

4 Internet voting VoterElection authorities Ciphertext Vote Encrypts vote to keep it private Tally without decrypting individual votes 4

5 Election fraud VoterElection authorities Ciphertext Not Bob Encrypts -100 votes for Bob Is the encrypted vote valid? 5

6 Zero-knowledge proof as solution VoterElection authorities Ciphertext Soundness: Vote is valid Zero-knowledge proof for valid vote encrypted Zero-knowledge: Vote is secret 6

7 Mix-net: Anonymous message broadcast m π (1) m π (2) m π (N) … π1π1 π2π2 π = π 1 ◦ π 2 m1m1 m2m2 mNmN Threshold decryption

8 Problem: Corrupt mix-server m π (1) m π (2) m´ π (N) … π1π1 π2π2 π = π 1 ◦ π 2 m1m1 m2m2 mNmN Threshold decryption

9 Solution: Zero-knowledge proof m π (1) m π (2) m π (N) … π1π1 π2π2 π = π 1 ◦ π 2 m1m1 m2m2 mNmN Threshold decryption Server 1 ZK proof No message changed (soundness) Server 2 ZK proof Permutation still secret (zero-knowledge)

10 Preventing deviation (active attacks) by keeping people honest AliceBob Yes, here is a zero- knowledge proof that everything is correct Did you follow the protocol honestly without deviation?

11 Cryptography 11 Problems typically arise when attackers deviate from a protocol (active attack) Zero-knowledge proofs prevent deviation and give security against active attacks

12 Fundamental building block 12 encryption signatures zero-knowledge Доверяй, но проверяй - Trust but verify

13 Zero-knowledge proofs Completeness –Prover can convince verifier when statement is true Soundness –Cannot convince verifier when statement is false Zero-knowledge –No leakage of information (except truth of statement) even if interacting with a cheating verifier 13

14 Parameters Efficiency –Communication (bits) –Prover’s computation (seconds) –Verifier’s computation (seconds) –Round complexity (number of messages) Security –Setup –Cryptographic assumptions

15 Round complexity Interactive zero-knowledge proof Non-interactive zero-knowledge proof 15 

16 Zero-knowledge proof efficiency cost interactive zero-knowledge proofs rest of the protocol non-interactive zero-knowledge proofs

17 Vision Main goal –Efficient and versatile zero-knowledge proofs Vision –Negligible overhead from using zero-knowledge proofs –Security against active attacks standard feature 17 zero-knowledge core

18 Statements Circuit SAT Hamiltonian Encrypted valid vote

19 Proof system 19

20 Graph isomorphism 20

21 Exercise Argue the GI proof system is complete What is the probability of the prover cheating the verifier? (soundness) Argue the GI proof system is witness indistinguishable, i.e., when there are several isomorphisms between the two graphs it is not possible to know which one the prover has in mind 21

22 Perfect completeness: Pr[Accept] = 1 Accept or reject Statement x  L Witness w so (x,w)  R Completeness 22

23 Computational soundness: For ppt adversary Pr[Reject] ≈ 1 Statistical soundness: For any adversary Pr[Reject] ≈ 1 Perfect soundness: Pr[Reject] = 1 Accept or reject Statement x  L Soundness 23

24 Arguments and proofs Argument (or computationally sound proof) –Computational soundness, holds against polynomial time adversary, relies on cryptographic assumptions Proof –Unconditional soundness, holds against unbounded adversary, and in particular without relying on cryptographic assumptions 24 Arguments can be more efficient than proofs

25 0/1 Witness indistinguishability

26 Zero-knowledge Zero-knowledge: –The proof only reveals the statement is true, it does not reveal anything else Defined by simulation: –The adversary could have simulated the proof without knowing the prover’s witness

27 view Zero-knowledge Simulator’s advantage: Can rewind adversary

28 Exercises Show the GI proof is perfect zero-knowledge Argue why zero-knowledge implies witness indistinguishability Give an example of a language and a proof system that is witness indistinguishable but not zero-knowledge (under reasonable assumptions) 28


Download ppt "Efficient Zero-Knowledge Proof Systems Jens Groth University College London."

Similar presentations


Ads by Google