Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Zero-Knowledge Proofs Jens Groth University College London.

Published byLindsey Augusta Bennett Modified over 8 years ago

Similar presentations

Presentation on theme: "Efficient Zero-Knowledge Proofs Jens Groth University College London."— Presentation transcript:

1 Efficient Zero-Knowledge Proofs Jens Groth University College London

2 Zero-knowledge proof ProverVerifier Witness  Soundness: Statement is true Zero-knowledge: Nothing but truth revealed Statement

3 Internet voting VoterElection authorities Enc pk (vote;r) Witness: vote, r Encryption: The vote is private Is the vote valid? The vote is valid  Soundness: The encrypted vote is valid Zero-knowledge: The vote remains secret

4 Multi-party computation PeggyVictor xy f(x,y) Did you follow the protocol correctly? I followed the protocol correctly Soundness: Peggy followed protocol Zero-knowledge: Peggy’s input remains secret zk proof

5 Signatures SignerVerifier sk = x vk = f(x) I know x and m Fiat-Shamir heuristic: If ZK proof is public coin make it non-interactive by using hash-function to compute challenges Sign sk (m)

6 Statements Statements of the form x  L –L is an NP-language –Prover’s witness is w such that (x,w)  R L Examples –The plaintext of c using public key pk is m Witness is r such that c = Enc pk (m;r) –The circuit C is satisfiable Witness w input to circuit such that C(w)=1 Circuit Satisfiability is an NP-complete language

7 Interactive proof system for L Efficient interactive algorithms P, V –The prover algorithm P takes as initial input a statement x and a witness w such that (x,w)  R L –The verifier algorithm V takes as initial input a statement x P and V interact and afterwards V returns a bit b –b = 1 corresponds to accept –b = 0 corresponds to reject Completeness: –Honest P on (x,w)  R L always makes honest V accept

8 Soundness Soundness: Pr[ x  L and b=1]  0 Adversary Verifier xLxL b

9 Proof or argument Proof (statistical/perfect soundness): –(P,V) is a proof system for L if an unbounded adversary has negligible chance of convincing the verifier on a false statement Argument (computational soundness): –(P,V) is an argument system for L if a non-uniform polynomial time adversary has negligible chance of convincing the verifier on a false statement

10 Zero-knowledge Zero-knowledge: –The proof only reveals the statement is true, it does not reveal anything else Defined by simulation: –The adversary can simulate the proof without knowing the prover’s witness xLxL xLxL

11 Efficiency Parameters –Communication –Verifier computation –Prover computation –Number of rounds of interaction Fiat-Shamir heuristic: Public coin protocol where verifier just sends random challenges. Can replace verifier with cryptographic hash-function Gives non-interactive protocol that may be verified many times.

12 Our goal Sublinear communication Linear computation for verifier Quasi-linear computation for prover Constant round complexity Cannot leak many bits about witness. Zero-knowledge easy. Must convince verifier using less bits than the witness. Soundness hard.

13 Example Language L = {(p,G,G,H,U,V) |  w: U=G w,V=H w } –G is a prime order p group, G,H,U,V  G ProverVerifier A=G r, B=H r x f  wx+r Accept if U x A = G f V x B = H f Completeness: U x A = (G w ) x G r = G wx+r = G f V x B = (H w ) x H r = H wx+r = H f So verifier accepts Soundness: U x A = (G u ) x G a = G ux+a = G f V x B = (H v ) x H b = H vx+b = H f So ux+a  vx+b, which is very unlikely for a randomly chosen x unless u = v and a = b It is not zero-knowledge It is special honest verifier zero-knowledge: Given x in advance simulate by picking f at random and computing A=G f U -x, B=H f V -x A, B f

14 Batch proofs Language L = {(p,G,G,H,U 1,V 1,…,U n,V n ) |  w 1,…,w n : U 1 =G w 1,V 1 =H w 1,…,U n =G w n,V n =H w n } ProverVerifier A=G r, B=H r x f  r+  w i x i Accept if A  U i x i = G f B  V i x i = H f A, B f Soundness: A  U i x i = G a  (G u i ) x i = G a+  u i x i = G f B  V i x i = H b  (H v i ) x i = H b+  v i x i = H f So a+  u i x i  b+  v i x i, which is very unlikely for a randomly chosen x unless a = b and u i = v i

15 Schwartz-Zippel lemma Given two different polynomials p(X)  q(X) in Z p [X] of degree n, the chance over random x  Z p that p(x)=q(x) is at most n/p In our batch proof, the probability of a+  u i x i  b+  v i x i is at most n/p for random x unless a = b and u i = v i

16 Pedersen commitment Commitment key ck = (p,G,G,H) Commit(a;r) = G a H r where r  Z p Opening of commitment C is (a,r) such that C=G a H r Computationally binding: –Cannot find a  b, r,s such that G a H r = G b H s Perfectly hiding: –No matter what a is we get random group element C

17 Generalized Pedersen commitment Commitment key ck = (p,G,G 1,…,G n,H) Commit(a 1,…,a n ;r) = H r  G i a i where r  Z p Computationally binding: –Cannot find (a 1,…,a n,r)  (b 1,…,b n,s) for same C Perfectly hiding: –For all (a 1,…,a n ) we get random group element C

18 Generalized Pedersen commitment Commit(a 1,…,a n ;r) = H r  G i a i where r  Z p Length-reducing: –A single group element even for large vectors (a 1,…,a n ) Homomorphic: Commit(a 1,…,a n ;r) ∙ Commit(b 1,…,b n ;s) =Commit(a 1 +b 1,…,a n +b n ;r+s)

19 Identical committed matrices A=B A 1 =commit(a 1 ;r 1 ) … A m =commit(a m ;r n ) B 1 =commit(b 1 ;s 1 ) … B m =commit(b m ;s n ) ProverVerifier C,D x f,r,s Accept if C  A i x i =com(f;r) D  B i x i =com(f;s) Soundness: C  A i x i = com(t+  a i x i ;r) = com(f;r) D  B i x i = com(t’+  b i x i ;s) = com(f;s) So t+  a i x i = t’+  b i x i, which is very unlikely for a randomly chosen x unless a i =b i and hence A=B Completeness: C=commit(t;r 0 ), D=commit(t;s 0 ) f=t+  a i x i, r=r 0 +  r i x i, s=s 0 +  s i x i

20 Efficiency Communication: 2m+n group and field elements Verifier computes: 2m exponentiations Prover computes: 2mn exponentiations Rounds: 3 Compare to O(mn) complexity using standard Pedersen commitments and no batching

21 Circuit Satisfiability General: NP-complete Model: Resembles real computation Benchmark: Widely used in ZK proofs NAND a1a1 b1b1 b2b2 1 a2a2

22 Standard zero-knowledge argument for CSAT Prove committed a 1,a 2,b 1,b 2  {0,1} Prove committed a 2 =  (a 1  b 1 ), 1=  (a 2  b 2 ) Total cost for N-gate circuit: –O(N) group and field elements –O(N) exponentiations for both prover and verifier NAND Commit(a 1 ;r 1 ) Commit(b 2 ;s 2 ) Commit(b 1 ;s 1 ) Commit(a 2 ;r 2 ) Commit(1;0) Committed a,b,c such that c=  (a  b) Homomorphic property gives 1-c Multiplication proof for 1-c=ab Cost O(1) group and field elements O(1) exponentiations for prover O(1) exponentiations for verifier Committed a  {0,1} Multiplication proof for a ∙ a=a Cost O(1) group and field elements O(1) exponentiations for prover O(1) exponentiations for verifier

23 Batch proof for Circuit Satisfiability Commit(a 1,a 2 ;r), Commit(b 1,b 2 ;s) Batch proof for a 1,a 2,b 1,b 2  {0,1} Batch proof for a 2 =  (a 1  b 1 ), 1=  (a 2  b 2 ) Total cost for N-gate circuit: –O(  N) group and field elements –O(N) multiplications for both prover and verifier NAND a1a1 a2a2 b1b1 b2b2

24 Batched commitment to wires of circuit Public commitment key (p,G,H,G 1,…,G n ) Commit to a 1,…,a N, where N=mn, as A 1 = Commit(a 11,…,a 1n ;r 1 ) … A m = Commit(a m1,…,a mn ;r m ) Cost of committing to N=mn field elements –Commitment key has n group elements –There are m commitments –Batched openings contain n field elements –Setting m=n the cost is O(  N) group and field elements

25 Batch argument for committed wires being 0/1 Want to show Commit(a 11,…,a 1n ;r 1 ) …satisfy a ij  {0,1} Commit(a m1,…,a mn ;r m ) Equivalent to showing a ij (a ij -1)=0 Define b ij =a ij -1 and s i =r i and compute Commit(b 11,…,b 1n ;s 1 ) = Commit(a 1 ;r 1 ) Commit(-1;0) … Commit(b m1,…,b mn ;s m )=Commit(a m ;r m )Commit(-1;0) Now need to show a ij b ij =0

26 Batch product argument Want to show a ij b ij =0 for committed values Commit(a 11,…,a 1n ;r 1 ) Commit(b 11,…,b 1n ;s 1 ) … Commit(a m1,…,a mn ;r m ) Commit(b m1,…,b mn ;s m ) Let verifier pick random y,z  Z p Will demonstrate  i  j y i a ij b ij z j =0 Schwartz-Zippel tells us unless for all i,j: a ij b ij =0 negligible probability this is true

27 Simplifying the batch product argument Given y,z prover will demonstrate  i  j y i a ij b ij z j =0 for commitments Commit(a i1,…,a in ;r i )Commit(b i1,…,b in ;s i ) Defining (u 1,…,u n )  (v 1,…,v n )=  j u j v j z j the prover’s task is to demonstrate  i y i a i  b i =0 Using the homomorphic property we have Commit(y i a i ;y i r i ) = Commit(a i ;r i ) y i This simplifies reduces the prover’s task to show Commit(a i ’;r i ’)Commit(b i ;s i ) contains values that satisfy  i a i ’  b i =0

28 Idea behind batch ZK argument b 1 b 2 b 3 a 1 a 1  b 1 a 1  b 2 a 1  b 3 a 2 a 2  b 1 a 2  b 2 a 2  b 3 a 3 a 3  b 1 a 3  b 2 a 3  b 3 a1b1+a2b2+a3b3a1b1+a2b2+a3b3

29 Idea behind batch ZK argument  x -1 b 1 + x -2 b 2 + x -3 b 3 x 1 a 1 a 1  b 1 x -1 a 1  b 2 x -2 a 1  b 3 + x 2 a 2 x 1 a 2  b 1 a 2  b 2 x -1 a 2  b 3 + x 3 a 3 x 2 a 3  b 1 x 1 a 3  b 2 a 3  b 3 a1b1+a2b2+a3b3a1b1+a2b2+a3b3 x -1 (a 1  b 2 +a 2  b 3 ) x -2 (a 1  b 3 ) x1(a2b1+a3b2)x1(a2b1+a3b2) x2(a3b1)x2(a3b1)

30 Main part of the batch product argument Given commitments and weighted inner product  Commit(a 1 ;r 1 )Commit(b 1 ;s 1 ) …… Commit(a m ;r m )Commit(b m ;s m ) show they contain values that satisfy  i a i  b i =0 Prover sends commitments C -m,…,C -1,C 1,…,C m C k = Commit(c k ;t k )c k =  i-j=k a i  b j Verifier sends random challenge x  Z p * Prover gives zero-knowledge argument for (  x i a i )  (  x -j b j ) =  x k c k Use homomorphic properties to compute A =  A i x i = Commit(  x i a i ;  x i r i ) B =  B j x -j = Commit(  x -j b j ;  x -j s j ) C =  C k x k = Commit(  x k c k ;  x k t k ) The final ZK argument costs O(n) field elements and O(n) exponentiations for prover and verifier Soundness: Look at coefficient for x 0. The equation gives  i-j=0 x i-j a i  b j =  i a i  b i = c 0 = 0 By the Schwartz-Zippel lemma negligible probability over x for this being true unless  i a i  b i = 0 as we wanted to show

31 Total batch proof Goal: Prove N=mn committed a ij  {0,1} Method: a ij b ij =0where b ij =a ij -1 –Verifier sends challenges y,z –Prover sends C -m,…,C -1,C 1,…,C m –Verifier sends challenge x –Prover argues A,B,C contains a j,b j,c j such that a j b j =c j Cost: –Communicates O(m+n) group and field elements –Verifier uses O(m+n) exponentiations

32 Prover’s computation b 1 b 2 b 3 a 1 a 1  b 1 a 1  b 2 a 1  b 3 a 2 a 2  b 1 a 2  b 2 a 2  b 3 a 3 a 3  b 1 a 3  b 2 a 3  b 3 a1b2+a2b3a1b2+a2b3 a1b3a1b3 a2b1+a3b2a2b1+a3b2 a3b1a3b1 Naively m 2 n multiplications Instead evaluate in 2m points  1,...,  2m and use polynomial interpolation to find coefficients of (  a i  i )(  b j  -j ) =  c k  k Using FFT to evaluate  a i  i and  b j  -j the cost is O(N log m)

33 Batch proof for Circuit Satisfiability Commit(a 1,a 2 ;r), Commit(b 1,b 2 ;s) Batch proof for a 1,a 2,b 1,b 2  {0,1} Batch proof for a 2 =  (a 1  b 1 ), 1=  (a 2  b 2 ) Batch wire consistency proof NAND a1a1 a2a2 b1b1 b2b2

34 Wire consistency (sketch) Committed outputs of gates a i matching inputs b i to other gates in circuit Given permutation  defined by circuit wiring prover wants to show b i = a  (i) Verifier picks random challenge x Prover demonstrates  x i b i =  x  (i) a  (i) Cost: –Communication: O(m+n) elements –Verifier computation: O(N) multiplications –Prover computation: O(N log N) multiplications

35 Cost for N-gate circuit Standard argument –O(N) elements –O(N) verifier expos –O(N) prover expos –3 rounds Batch argument –O(  N) elements –O(N) verifier mults –O(N log N) prover mults –5 rounds

36 Further developments Can they be even more efficient? Yes, pairing-based techniques gives us communication of O(N 1/3 ) elements Can they be combined with group elements? Yes

37 Efficient ZK arguments over fields & groups Can do addition using homomorphic properties Can use our techniques to show multiplicative relationship between committed values Gives us linear algebra over committed elements –For instance committed matrices satisfy AB=C Statements involving group elements and exponentiations –For instance C=  i  j A ij b ij

38 Intuition x -1 b 1 + x -2 b 2 + x -3 b 3 A 1 x 1 A 1 b 1 A 1 x -1 b 2 A 1 x -2 b 3 ∙ A 2 x 2 A 2 x 1 b 1 A 2 b 2 A 2 x -1 b 3 ∙ A 3 x 3 A 3 x 2 b 1 A 3 x 1 b 2 A 3 b 3 A 1 x -2 b 3 A 1 x -1 b 2 ∙ A 2 x -1 b 3 A 2 x 1 b 1 ∙ A 3 x 1 b 2 A 1 b 1 ∙ A 2 b 2 ∙ A 3 b 3 A 3 x 2 b 1

39 Application to mix-nets m π (1) m π (2) m π (N) … π1π1 π2π2 π = π 1  π 2 m1m1 m2m2 mNmN Threshold decryption

40 Problem: Corrupt mix-server m π (1) m π (2) m´ π (N) … π1π1 π2π2 π = π 1  π 2 m1m1 m2m2 mNmN Threshold decryption

41 Mix-server gets input ciphertexts c 1,…,c N Permutes and rerandomizes ciphertexts c 1 ’=c  (1) ∙ (G r 1,H r 1 ), …, c N ’=c  (N) ∙ (G r N,H r N ) Zero-knowledge argument for correct shuffle –Joint work with Stephanie Bayer, UCL –Communication: 16  N elements –Verifier computation: 4N exponentiations –Prover computation: O(N log N) exponentiations –Rounds:9 ElGamal shuffle Statement (c 1,c 1 ’,...,c N,c N ’) can be huge. For instance election with 100,000 voters. Experimental results for N=100,000 N=mn, where m=16, |p|=1024, |q|=160 Communication: 2.5 MB Verifier computation: 52 seconds Prover computation: 135 seconds

42 Vision Zero-knowledge proofs should be the cheapest component in cryptographic protocols –Something you can just throw in automatically without significant overhead Thank you!

Download ppt "Efficient Zero-Knowledge Proofs Jens Groth University College London."

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Short Non-interactive Zero-Knowledge Proofs

Short Non-interactive Zero-Knowledge Proofs
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.

Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.

Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.

Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Similar presentations

Ads by Google