1. Discrete logarithm based zero-knowledge arguments
Jens Groth
University College London
Based on joint works with Stephanie Bayer, Jonathan Bootle, Pyrros Chaidos, Andrea Cerulli and Christophe Petit

2. Zero-knowledge argument
Statement:
𝑥 1 ∧ 𝑥 2 ∧¬ 𝑥 3 ∨( 𝑥 2 ∧ x 4 ∧ 𝑥 5 )
Witness
Completeness: Honest prover convinces verifier 
Zero-knowledge: Nothing but truth revealed
Soundness: Statement is true
Prover Verifier

3. Internet voting Encrypts vote to keep it private
Tally without decrypting individual votes
Ciphertext
Voter Election authorities

4. Is the encrypted vote valid?
Election fraud
Encrypts 100 votes for Hwang Kyo-ahn
Is the encrypted vote valid?
번영!!
Ciphertext
Voter Election authorities

5. Zero-knowledge proof as solution
Zero-knowledge: Vote is secret
Soundness: Vote is valid
Ciphertext
Zero-knowledge proof for valid vote encrypted
Voter Election authorities

6. Cryptography
Problems typically arise when attackers deviate from a protocol (active attack)
Zero-knowledge proofs prevent deviation and give security against active attacks

7. Parameters Efficiency Security
Goal: efficient argument for NP Security parameter: 𝜆
Statement size: poly(𝜆)
Communication: 𝑂(𝜆 log 𝜆 ) bits
Efficiency
Communication (bits)
Prover’s computation (seconds/operations)
Verifier’s computation (seconds/operations)
Round complexity (number of messages)
Security
Setup
Cryptographic assumptions

8. Agenda Sigma-protocols Techniques Goal
Based on the hardness of the discrete logarithm problem
Techniques
Batching many arguments into one
Commitments to vectors for parallel verification
Polynomial convolution to get square root complexity
Interaction to reduce to logarithmic complexity
Goal
Arguments with 𝑂(𝜆 log 𝜆) bits communication for NP
Security parameter 𝜆, statements of size poly 𝜆

9. Sigma-protocol for NP-relation 𝑹
Completeness: Honest prover with witness always makes honest verifier accept
Sigma-protocol for NP-relation 𝑹
Statement 𝑢∈ 𝐿 𝑅
Witness 𝑤 (𝑢,𝑤)∈𝑅 𝑎
𝑥←𝑆 𝑧
𝑉 𝑢,𝑎,𝑥,𝑧 →1/0

10. Special soundness
Argument of knowledge:
Can extract witness from prover that has non-negligible success probability
If the prover can answer two distinct challenges then possible to efficiently compute witness 𝑎
𝑥←𝑆
𝑥′←𝑆 𝑧 𝑧′
Extract 𝑢,𝑎,𝑥, 𝑥 ′ ,𝑧,𝑧′ →𝑤

11. Special honest verifier zero-knowledge
Can simulate the honest verifier’s view without the witness 𝑎
𝑥←𝑆 𝑧
Simulate 𝑢,𝑥 →(𝑎,𝑧)

12. Fiat-Shamir heuristic
Statement 𝑢∈ 𝐿 𝑅 𝑎 𝑎
𝑥←𝑆
𝑥=Hash(𝑢,𝑎) 𝑧 𝑧
Non-interactive zero-knowledge argument in the random oracle model, where Hash is modelled as random function to 𝑆

13. Pedersen commitment Key generation Commitment Properties
Pick a group G of prime order 𝑝 with random generators 𝑔 and ℎ. Commitment key 𝑐𝑘=(G,𝑝,𝑔,ℎ).
Commitment
Given 𝑚∈ Z 𝑝 pick 𝑟← Z 𝑝 and compute 𝐶= 𝑔 𝑚 ℎ 𝑟
The opening of the commitment is (𝑚,𝑟)
Properties
Perfectly hiding
Computationally binding under discrete log assumption
Homomorphic com 𝑎;𝑟 ⋅com 𝑏;𝑠 =com(𝑎+𝑏;𝑟+𝑠)
Argue it is perfectly hiding
Verify it is homomorphic, i.e., 𝑐𝑜𝑚𝑚𝑖𝑡 𝑚;𝑟 ⋅𝑐𝑜𝑚𝑚𝑖𝑡 𝑚 ′ ; 𝑟 ′ =𝑐𝑜𝑚𝑚𝑖𝑡(𝑚+ 𝑚 ′ ;𝑟+ 𝑟 ′ )

14. Special soundness Answers to two distinct 𝑥≠ 𝑥 ′ 𝐴 𝑥 𝐵=com 𝑓;𝑧 𝐴 𝑥 ′ 𝐵=com( 𝑓 ′ ; 𝑧 ′ )
Implies 𝐴 𝑥− 𝑥 ′ =com 𝑓− 𝑓 ′ ;𝑧− 𝑧 ′ Giving 𝐴=com( 𝑓− 𝑓 ′ 𝑥− 𝑥 ′ ; 𝑧− 𝑧 ′ 𝑥− 𝑥 ′ )
Argument of knowledge
Relation 𝑅= 𝐴,(𝑎, 𝑟 𝐴 ) :𝐴=com(𝑎; 𝑟 𝐴 ) Sigma-protocol
Special honest verifier zero-knowledge Given 𝑥∈ 𝒁 𝑝 ∗ pick 𝑓,𝑧← 𝒁 𝑝 and compute 𝐵=com 𝑓;𝑧 𝐴 −𝑥
𝐵=com 𝑏; 𝑟 𝐵 𝐵
𝑥← 𝒁 𝑝 ∗
𝑓=𝑎𝑥+𝑏 𝑧= 𝑟 𝐴 𝑥+ 𝑟 𝐵
Accept if 𝐴 𝑥 𝐵=com(𝑓;𝑧)
𝑓,𝑧

15. Σ-protocol for arithmetic circuit over 𝒁 𝒑
Prove committed values respect the gates
Homomorphic property 𝑤 3 = 𝑤 1 + 𝑤 2
Multiplicative relationship
𝑣= 𝑤 2 ⋅ 𝑤 3 𝑣
𝑤 3
Communication: 𝑂(𝑁) elements
Prover computation: 𝑂(𝑁) expos
Verifier computation: 𝑂(𝑁) expos
𝑤 1
𝑤 2

16. Special soundness generalization
special soundness 𝑛-special soundness
𝑧 1
𝑧 1
𝑥 1
𝑥 1 𝑎 𝑎
𝑧 2
𝑥 2
𝑥 2
𝑧 2 ⋮
𝑥 𝑛
𝑧 𝑛
𝑛-special soundness
Given answers to 𝑛 distinct challenges it is possible to extract. I.e., we can run an efficient extractor Extract 𝑢,𝑎, 𝑥 𝑖 , 𝑧 𝑖 𝑖=1 𝑛 →𝑤 to get witness for 𝑢∈ 𝐿 𝑅

17. Batch argument of knowledge
Given commitments 𝐴 1 ,…, 𝐴 𝑚 how can we prove we know openings of all of them?
𝐴 0 =com 𝑎 0 ; 𝑟 0
𝑓=∑ 𝑎 𝑖 𝑥 𝑖 𝑧=∑ 𝑟 𝑖 𝑥 𝑖
𝐴 0
𝑥← 𝒁 𝑝 ∗
Accept if ∏ 𝐴 𝑖 𝑥 𝑖 =com(𝑓;𝑧)
𝑓,𝑧

18. 𝒎+𝟏-special soundness
Suppose we have accepting answers to 𝑥 0 ,…, 𝑥 𝑚 ∏ 𝐴 𝑖 𝑥 𝑗 𝑖 =com 𝑓 𝑗 ; 𝑧 𝑗
Vandermonde matrices are invertible. So for all 𝑘 there exist vector 𝑣 such that ( 𝑣 0 ,…, 𝑣 𝑚 ) 𝑥 0 0 ⋯ 𝑥 0 𝑚 ⋮ ⋱ ⋮ 𝑥 𝑚 0 ⋯ 𝑥 𝑚 𝑚 =(0,…,0,1,0,…,0)
This means 𝐴 𝑘 = 𝑗 𝑖 𝐴 𝑖 𝑥 𝑗 𝑖 𝑣 𝑗 =com 𝑗 𝑣 𝑗 𝑓 𝑗 ; 𝑗 𝑣 𝑗 𝑧 𝑗 Th

19. Generalized Pedersen commitment
Key generation
Pick a group G of prime order 𝑝 with random generators 𝑔 and 𝑔 1 ,…, 𝑔 𝑛 . Commitment key 𝑐𝑘= G,𝑝,𝑔, {𝑔 𝑖 𝑖 ).
Commitment
Given 𝑚 1 ,…, 𝑚 𝑛 ∈ Z 𝑝 pick 𝑟← Z 𝑝 and let 𝑐= 𝑔 𝑟 ∏ 𝑔 𝑖 𝑚 𝑖
The opening of the commitment is ( 𝑚 1 ,…, 𝑚 𝑛 ,𝑟)
Properties
Perfectly hiding
Computationally binding under discrete log assumption
Homomorphic com 𝑎 ;𝑟 ⋅com 𝑏 ;𝑠 =com( 𝑎 + 𝑏 ;𝑟+𝑠)
Argue it is perfectly hiding
Verify it is homomorphic, i.e., 𝑐𝑜𝑚𝑚𝑖𝑡 𝑚;𝑟 ⋅𝑐𝑜𝑚𝑚𝑖𝑡 𝑚 ′ ; 𝑟 ′ =𝑐𝑜𝑚𝑚𝑖𝑡(𝑚+ 𝑚 ′ ;𝑟+ 𝑟 ′ )

20. Batch argument of knowledge of vectors
Given vector commitments 𝐴 1 ,…, 𝐴 𝑚 how can we prove we know openings of all 𝑁=𝑚𝑛 values?
Let 𝑚≈𝑛≈√𝑁 to get minimal communication of 2 𝑁 elements
𝐴 0 =com 𝑎 0 ; 𝑟 0
𝑓=∑ 𝑎 𝑖 𝑥 𝑖 𝑧=∑ 𝑟 𝑖 𝑥 𝑖
𝐴 0
𝑥← 𝒁 𝑝 ∗
Accept if ∏ 𝐴 𝑖 𝑥 𝑖 =com( 𝑓 ;𝑧)
𝑓 ,𝑧

21. Batch inner product argument
Given commitments 𝐴 1 , 𝐵 1 ,…, 𝐴 𝑚 , 𝐵 𝑚 , 𝐶 0 we want to give an argument of knowledge that their openings satisfy ∑ 𝑎 𝑖 ⋅ 𝑏 𝑖 = 𝑐 0
As part of the argument, the prover will get a challenge 𝑥← 𝒁 𝑝 ∗ and open ∏ 𝐴 𝑖 𝑥 𝑖 =com ∑ 𝑎 𝑖 𝑥 𝑖 ∏ 𝐵 𝑗 𝑥 −𝑗 =com ∑ 𝑏 𝑗 𝑥 −𝑗
Observe ∑ 𝑎 𝑖 𝑥 𝑖 ⋅∑ 𝑏 𝑗 𝑥 −𝑗 =∑ 𝑐 𝑘 𝑥 𝑘

22. Matrix view
𝑏 1 𝑥 −1 ⋯
𝑏 𝑚 𝑥 −𝑚
𝑎 1 ⋅ 𝑏 1 ⋯ 𝑎 1 ⋅ 𝑏 𝑚 𝑥 1−𝑚 ⋮ ⋱ ⋮ 𝑎 𝑚 ⋅ 𝑏 1 𝑥 𝑚−1 ⋯ 𝑎 𝑚 ⋅ 𝑏 𝑚
𝑎 1 𝑥 1 ⋮ 𝑎 𝑚 𝑥 𝑚
𝑐 1−𝑚 𝑥 1−𝑚 ⋮ 𝑐 −1 𝑥 −1
𝑐 𝑚−1 𝑥 𝑚−1 ⋯
𝑐 1 𝑥
𝑐 0
Can compute 𝑐 1−𝑚 ,…, 𝑐 𝑚−1 using the Fast Fourier Transform in 𝑂 𝑚𝑛 log 𝑚 =𝑂(𝑁 log 𝑁 ) operations

23. Batch inner product argument
Given commitments 𝐴 1 , 𝐵 1 ,…, 𝐴 𝑚 , 𝐵 𝑚 , 𝐶 0 we want to give an argument of knowledge that their openings satisfy ∑ 𝑎 𝑖 ⋅ 𝑏 𝑖 = 𝑐 0
𝐶 𝑘 =com 𝑐 𝑘
𝐶 1−𝑚 ,…, 𝐶 𝑚−1
Accept if ∏ 𝐴 𝑖 𝑥 𝑖 =com 𝑎 ∏ 𝐵 𝑗 𝑥 −𝑗 =com 𝑏 ∏ 𝐶 𝑘 𝑥 𝑘 =com( 𝑎 ⋅ 𝑏 )
𝑥← 𝒁 𝑝 ∗
𝑎 =∑ 𝑎 𝑖 𝑥 𝑖 𝑏 =∑ 𝑏 𝑗 𝑥 −𝑗
𝑎 , 𝑏

24. Arithmetic circuit written as inner products
Commit to inputs and outputs of the 𝑁 multiplication gates, i.e., 𝑎 𝑖 𝑏 𝑖 = 𝑐 𝑖
Want to show all multiplication gates are respected, which is true if we have a polynomial equality ∑𝑎 𝑖 ⋅ 𝑏 𝑖 𝑦 𝑖 − ∑𝑐 𝑖 ⋅𝑦 𝑖 =0
Also want to show all addition gates are respected, or more generally linear constraints are satisfied, i.e., 𝑎 ⋅ 𝛼 𝑗 + 𝑏 ⋅ 𝛽 𝑗 + 𝑐 ⋅ 𝛾 𝑗 = 𝑑 𝑗 Which can also be written as a polynomial equality ∑ 𝑎 ⋅ 𝛼 𝑗 𝑦 𝑗 +∑ 𝑏 ⋅ 𝛽 𝑗 𝑦 𝑗 +∑ 𝑐 ⋅ 𝛾 𝑗 𝑦 𝑗 − 𝑑 𝑗 𝑦 𝑗 =0

25. Arithmetic product argument
With 𝑁=𝑚𝑛 multiplication gates we make 3𝑚 commitments, and then use 𝑂(𝑚+𝑛) communication for inner product argument
Arithmetic product argument
Reduction of arithmetic circuit satisfiability to inner product equation
Using homomorphic properties (and something more) we get inner product equations in 𝑦 for multiplication gates and additive constraints
𝐴 1 , 𝐵 1 , 𝐶 1 ,…, 𝐴 𝑚 , 𝐵 𝑚 , 𝐶 𝑚
𝑦← 𝒁 𝑝 ∗

26. The square root communication barrier
Given arithmetic circuit with 𝑁 gates, what is the minimal communication argument?
Decompose 𝑁=𝑚𝑛
Commit to wires with 𝑚 commitments to 𝑛 values each
𝐶 1 ,… 𝑥
Recursion by arguing that we know how to open commitments Seems expensive...
Need 𝑛 values to open a commitment So seems like we have Ω( 𝑁 ) lower bound
𝑧 1 ,…

27. Changing committed values
Modify committed values by changing the commitment key!
Recall a Pedersen commitment is of the form com 𝑎 =∏ 𝑔 𝑖 𝑎 𝑖 = 𝑔 𝑎
If 𝑛=𝑚ℓ we can write 𝑔 = 𝑔 1 ,…, 𝑔 𝑚 𝑎 = 𝑎 1 ,…, 𝑎 𝑚 and get com 𝑎 = 𝑔 𝑎 𝑔 𝑎 =∏ 𝑔 𝑖 𝑎 𝑖

28. Recursive inner product argument step
Will reduce argument of knowledge of 𝐴 0 =∏ 𝑔 𝑖 𝑎 𝑖 𝐵 0 =∏ ℎ 𝑖 𝑏 𝑖 ∑ 𝑎 𝑖 ⋅ 𝑏 𝑖 = 𝑐 0 to argument of knowledge of 𝐴= 𝑔 𝑎 𝐵= ℎ 𝑏 𝑎 ⋅ 𝑏 =𝑐
𝐴 1−𝑚 , 𝐵 1−𝑚 , 𝑐 1−𝑚 … 𝐴 𝑚−1 , 𝐵 𝑚−1 , 𝑐 𝑚−1
𝑥← 𝒁 𝑝 ∗

29. Matrix view
𝑏 1 𝑥 −1 ⋯
𝑏 𝑚 𝑥 −𝑚
ℎ 1 𝑏 1 ⋯ ℎ 1 𝑏 𝑚 𝑥 1−𝑚 ⋮ ⋱ ⋮ ℎ 𝑚 𝑏 1 𝑥 𝑚−1 ⋯ ℎ 𝑚 𝑏 𝑚
ℎ 1 𝑥 1 ⋮ ℎ 𝑚 𝑥 𝑚
𝐵 1−𝑚 𝑥 1−𝑚 ⋮ 𝐵 −1 𝑥 −1
𝐵 𝑚−1 𝑥 𝑚−1 ⋯
𝐵 1 𝑥
𝐵 0
We have 𝐵=∏ 𝐵 𝑘 𝑥 𝑘 = ∏ ℎ 𝑖 𝑥 𝑖 ∑ 𝑏 𝑗 𝑥 −𝑗 = ℎ 𝑏 Similarly 𝐴=∏ 𝐴 𝑘 𝑥 −𝑘 = ∏ 𝑔 𝑗 𝑥 −𝑗 ∑ 𝑎 𝑖 𝑥 𝑖 = 𝑔 𝑎

30. Soundness of recursive step
Like in the previous product argument when 𝑎 ⋅ 𝑏 =∑ 𝑎 𝑖 𝑥 𝑖 ⋅∑ 𝑏 𝑗 𝑥 −𝑗 =∑ 𝑐 𝑘 𝑥 𝑘 then this means with overwhelming probability ∑ 𝑎 𝑖 ⋅ 𝑏 𝑖 = 𝑐 0
𝑧 1
𝑧 1
𝑥 1
𝑧 2 𝑎
𝑧 2 𝑎
𝑥 2 ⋮ ⋮ ⋮
𝑥 𝑛
𝑧 𝑛
𝑧 𝑛
𝑛−special soundness tree-special soundness

31. Efficiency Implementation in Python using Danezis’ petlib library
Previous work
Rounds
Prover
Verifier
Comm.
Cramer-Damgård 1997 3
6N expo
11N elem
Groth 2009 7
6N/log N expo
O(N) mult
16√N elem
2 log N + 5
9√N elem
Seo 2011 5
37√N elem
This work
4√N elem
2 log N + 1
12N expo
4N expo
6 log N elem
Implementation in Python using Danezis’ petlib library

32. Summary Sigma-protocols Techniques Minimal communication arguments
Based on Pedersen commitments
Hardness of the discrete logarithm problem
Techniques
Batching many arguments into one
Commitments to vectors for parallel verification
Polynomial convolution to get square root complexity
Interaction to reduce to logarithmic complexity
Minimal communication arguments
Arguments with 𝑂(𝜆 log 𝜆) bits communication for NP
Security parameter 𝜆, statements of size poly 𝜆