Transcript Slide 1
Efficient Zero-Knowledge Proof Systems
Jens Groth
University College London
Public coin: Random challenge,
verifier does not store private
information about challenge
Ξ£-protocols
β’ 3-move proof systems
π
π β 0,1
π
π§
β’ Complete
β’ Special soundness
β’ Special honest verifier zero-knowledge
Special soundness
β’ Given two accepting transcripts (π, π, π§) and
π, π β² , π§ β² for a statement π₯ with the same initial
message π, but two different challenges π β πβ² it is
possible to compute witness π€ such that π₯, π€ β π
β’ Exercise
β Argue special soundness implies soundness
Special soundness is a form of
proof of knowledge
β’ Proof of knowledge
β Not just that the statement is true, but that the prover
βknowsβ the witness
β’ Defined through extraction
β The prover βknowsβ the witness if we can extract the
witness from the prover
β’ Extraction through rewinding
β Consider prover in the state after the initial message
has been sent. Rewind it many times to this state giving
it different challenges. Once we have answers to two
different challenges, we can extract the witness
Honest verifier zero-knowledge
ZK
HVZK
Special honest verifier zero-knowledge
β’ There is a simulator that given the statement π₯
and the challenge π can simulate the initial
message and answer such that they look like a
real transcript
β Typically this is done by first selecting the answer π§ and
then computing the initial message π
β The simulatorβs advantage allowing it to make a
convincing transcript like a real prover even though it
does not have the witness is that it can compute the
transcript in reverse order
Equivalence of discrete logarithms
β’ Assume setup ππ describing a group G of prime
order π with generator π
β’ Relation π
=
π β Zπ
π = ππ
π = βπ
π§ = ππ€ + π
(mod π)
ππ, β, π’, π£ , π€ π’ = ππ€ and π£ = βπ€
π, π
π β Zπ
π§
Accept if
π’π π = π π§
π£π π = βπ§
β’ Exercise:
Prove it is complete, special sound and SHVZK
Ξ£-protocol for arithmetic circuit over ππ
π£
Prove hidden values
respect the gates
β’ π€3 = π€1 + π€2
β’ π£ = π€2 β
π€3
π€3
π€1
π€2
Multiple Ξ£-protocols
can be composed with
each other using the
same challenge
Non-interactive commitment
Hiding
π does not
reveal π
π
Binding
Sender can
only open π
in one way
π, π
β’ Key generation returns commitment key ππ
β’ Commitment algorithm commits to π by picking
randomness π and computing π = ππππππ‘(π; π)
β’ Opening consists of (π, π) which allows recipient
to check that π = ππππππ‘(π; π)
Pedersen commitments
β’ Key generation
β Pick a group G of prime order π with random generators π
and β. Key ππ = (G, π, π, β).
β’ Commitment
β Given π β Zπ pick π β Zπ and compute π = ππ βπ
β’ The opening of the commitment is (π, π)
β’ Exercise
β Argue it is perfectly hiding
β Verify it is homomorphic, i.e.,
ππππππ‘ π; π β
ππππππ‘ πβ² ; π β² = ππππππ‘(π + πβ² ; π + π β² )
ElGamal type commitments
β’ Key generation
β Pick a group G of prime order π with random generators π
and β. Key ππ = (G, π, π, β).
β’ Commitment
β Given π β Zπ pick π β Zπ and compute π = (ππ , βπ+π )
β’ The opening of the commitment is (π, π)
β’ Exercise
β Argue it is perfectly binding
β Verify it is homomorphic
πππ π; π β
πππ πβ² ; π β² = πππ(π + πβ² ; π + π β² )
Addition gates
β’ Consider a gate saying π€3 = π€1 + π€2
β’ Given commitments
π1 = πππ(π€1 ; π1 ) and π2 = πππ π€2 ; π2
compute the commitment to π€3 as
π3 = π1 β
π2
which by the homomorphic property of the
commitment scheme automatically gives a
verifiable commitment to π€3 = π€1 + π€2
Multiplication gates
β’ Statement: π1 , π2 , π3
β’ Proverβs witness: π€1 , π1 , π€2 , π2 , π€3 , π3 satisfying
π€3 = π€1 π€2
π1 = πππ π€1 ; π1
π2 = πππ π€2 ; π2
π3 = πππ π€3 , π3
π, π , π‘ β Zπ
π = πππ π; π
π = πππ(π€2 π; π‘)
π = π₯π€1 + π
π§1 = π₯π1 + π
π§2 = π₯π3 + π‘ β ππ2
π, π
π₯ β Zπ
π, π§1 , π§2
Accept if
π1π₯ π = πππ π; π§1
π
π3π₯ π = π2 β
πππ 0; π§2
Ξ£-protocol for arithmetic circuit
Pedersen commitments
β’ Computational special
soundness
β’ Perfect special honest
verifier zero-knowledge
β’ Communication
β 1 group element per
committed value
β 2 group elements and 3
field elements per
multiplication gate
β Addition gates for free
ElGamal commitments
β’ Statistical special
soundness
β’ Comp. special honest
verifier zero-knowledge
β’ Communication
β 2 groups elements per
committed value
β 4 group elements and 3
field elements per
multiplication gate
β Addition gates for free
Ξ£-protocol for arithmetic circuit over ππ
π£
Prove hidden values
respect the gates
β’ π€3 = π€1 + π€2
β’ π£ = π€2 β
π€3
π€3
π€1
π€2
Communication:
O(|C|) commitments
Prover computation:
O(|C|) exponentiations
Verifier computation:
O(|C|) exponentiations
How efficient can arguments be?
β’ Zero-knowledge proofs in general have linear or
superlinear communication in witness size
β Unless SAT-solving has sublinear complexity
β’ Zero-knowledge arguments can have sublinear
communication
β Kilian 1992 gave a sublinear zero-knowledge argument
for NP-complete language
β’ Commit to a probabilistically checkable proof using a hash-tree
β’ Verifier makes queries to probabilistically checkable proof
β’ Answer queries from verifier by revealing paths in hash-tree
Knowledge of opening of commitment to 0
β’ Assume setup with commitment key ππ
β’ Relation π
ππ = π, π π = πππ(0; π)
β’ Question
β If it is the Pedersen commitment scheme it is trivial that
there exists an opening 0, π of π, so what is the
purpose of the Ξ£-protocol?
β’ Answer
β To prove knowledge of the opening
Ξ£-protocol for commitment to 0
β’ Relation π
ππ =
π0 β Zπ
π0 = πππ(0; π0 )
π, π π = πππ(0; π)
π0
π₯ β Zπ
π§ = π₯π + π0
Accept if
π π₯ π0 = πππ(0; π§)
π§
β’ Complete: π π₯ π0 = πππ 0; π π₯ πππ 0; π0 = πππ(0; π§)
β’ Special soundness:
β²
π₯
π₯
π π0 = πππ(0; π§) and π π0 = πππ(0; π§ β² )
implies π
π₯βπ₯ β²
β²
= πππ(0, π§ β π§ ) so witness π =
π§βπ§ β²
π₯βπ₯ β²
β’ SHVZK: Given π₯ simulate π§ β ππ ; π0 = πππ 0; π§ π βπ₯
Batch-proof for commitments containing 0
β’ Assume setup with commitment key ππ
β’ π
ππ =
π1 , β¦ , ππ , (π1 , β¦ , ππ ) ππ = πππ(0; ππ )
Statement: π1 , β¦ , ππ
π0 β Zπ
π0 = πππ (0; π0 )
π0
π₯ β Zπ
π
π₯π
π§=
ππ
π§
Accept if
π
π=0
π
Communication: O(1) elements
Prover: O(n) multiplications
Verifier: O(n) exponentiations
πππ₯ = πππ(0; π§)
π=0
Generalized Pedersen commitment
β’ Commitment key: ππ = (π, G, π, π1 , β¦ , ππ )
β’ Commitment: Pick π β Zπ and compute
π
π = πππ π1 , β¦ , ππ ; π =
ππ
ππ
ππ
π=1
β’ Computationally binding
β Cannot find π1 , β¦ , ππ , π β (π1 , β¦ , ππ , π) for same π
β’ Perfectly hiding
β For all (π1 , β¦ , ππ ) we get random group element π
Generalized Pedersen commitment
β’ Commitment: πππ π1 , β¦ , ππ ; π =
ππ
π
π βππ
β’ Length-reducing
β Single group element even for large vectors π1 , β¦ , ππ
β’ Homomorphic
πππ π1 , β¦ , ππ ; π β
πππ(π1 , β¦ , ππ ; π )
= πππ(π1 + π1 , β¦ , ππ + ππ ; π + π )
β’ Length-reducing + homomorphic
β Parallel verifiable computation on hidden data
Cost for N-gate
arithmetic circuit
β’ Standard argument
β
β
β
β
O(N) elements
O(N) verifier expos
O(N) prover expos
3 rounds
π£
β’ Batch argument
β
β
β
β
O(οN) elements
O(N) verifier mults
O(N) prover expos
7 rounds