Slide 1

Download Report

Transcript Slide 1 

Efficient Zero-Knowledge Proof Systems
Jens Groth
University College London
Public coin: Random challenge,
verifier does not store private
information about challenge
Ξ£-protocols
β€’ 3-move proof systems
π‘Ž
𝑐 ← 0,1
πœ†
𝑧
β€’ Complete
β€’ Special soundness
β€’ Special honest verifier zero-knowledge
Special soundness
β€’ Given two accepting transcripts (π‘Ž, 𝑐, 𝑧) and
π‘Ž, 𝑐 β€² , 𝑧 β€² for a statement π‘₯ with the same initial
message π‘Ž, but two different challenges 𝑐 β‰  𝑐′ it is
possible to compute witness 𝑀 such that π‘₯, 𝑀 ∈ 𝑅
β€’ Exercise
– Argue special soundness implies soundness
Special soundness is a form of
proof of knowledge
β€’ Proof of knowledge
– Not just that the statement is true, but that the prover
β€œknows” the witness
β€’ Defined through extraction
– The prover β€œknows” the witness if we can extract the
witness from the prover
β€’ Extraction through rewinding
– Consider prover in the state after the initial message
has been sent. Rewind it many times to this state giving
it different challenges. Once we have answers to two
different challenges, we can extract the witness
Honest verifier zero-knowledge
ZK
HVZK
Special honest verifier zero-knowledge
β€’ There is a simulator that given the statement π‘₯
and the challenge 𝑐 can simulate the initial
message and answer such that they look like a
real transcript
– Typically this is done by first selecting the answer 𝑧 and
then computing the initial message π‘Ž
– The simulator’s advantage allowing it to make a
convincing transcript like a real prover even though it
does not have the witness is that it can compute the
transcript in reverse order
Equivalence of discrete logarithms
β€’ Assume setup π‘”π‘˜ describing a group G of prime
order 𝑝 with generator 𝑔
β€’ Relation 𝑅 =
π‘Ÿ ← Z𝑝
π‘Ž = π‘”π‘Ÿ
𝑏 = β„Žπ‘Ÿ
𝑧 = 𝑐𝑀 + π‘Ÿ
(mod 𝑝)
π‘”π‘˜, β„Ž, 𝑒, 𝑣 , 𝑀 𝑒 = 𝑔𝑀 and 𝑣 = β„Žπ‘€
π‘Ž, 𝑏
𝑐 ← Z𝑝
𝑧
Accept if
𝑒𝑐 π‘Ž = 𝑔 𝑧
𝑣𝑐 𝑏 = β„Žπ‘§
β€’ Exercise:
Prove it is complete, special sound and SHVZK
Ξ£-protocol for arithmetic circuit over 𝒁𝒑
𝑣
Prove hidden values
respect the gates
β€’ 𝑀3 = 𝑀1 + 𝑀2
β€’ 𝑣 = 𝑀2 β‹… 𝑀3
𝑀3
𝑀1
𝑀2
Multiple Ξ£-protocols
can be composed with
each other using the
same challenge
Non-interactive commitment
Hiding
𝑐 does not
reveal π‘š
𝑐
Binding
Sender can
only open 𝑐
in one way
π‘š, π‘Ÿ
β€’ Key generation returns commitment key π‘π‘˜
β€’ Commitment algorithm commits to π‘š by picking
randomness π‘Ÿ and computing 𝑐 = π‘π‘œπ‘šπ‘šπ‘–π‘‘(π‘š; π‘Ÿ)
β€’ Opening consists of (π‘š, π‘Ÿ) which allows recipient
to check that 𝑐 = π‘π‘œπ‘šπ‘šπ‘–π‘‘(π‘š; π‘Ÿ)
Pedersen commitments
β€’ Key generation
– Pick a group G of prime order 𝑝 with random generators 𝑔
and β„Ž. Key π‘π‘˜ = (G, 𝑝, 𝑔, β„Ž).
β€’ Commitment
– Given π‘š ∈ Z𝑝 pick π‘Ÿ ← Z𝑝 and compute 𝑐 = π‘”π‘š β„Žπ‘Ÿ
β€’ The opening of the commitment is (π‘š, π‘Ÿ)
β€’ Exercise
– Argue it is perfectly hiding
– Verify it is homomorphic, i.e.,
π‘π‘œπ‘šπ‘šπ‘–π‘‘ π‘š; π‘Ÿ β‹… π‘π‘œπ‘šπ‘šπ‘–π‘‘ π‘šβ€² ; π‘Ÿ β€² = π‘π‘œπ‘šπ‘šπ‘–π‘‘(π‘š + π‘šβ€² ; π‘Ÿ + π‘Ÿ β€² )
ElGamal type commitments
β€’ Key generation
– Pick a group G of prime order 𝑝 with random generators 𝑔
and β„Ž. Key π‘π‘˜ = (G, 𝑝, 𝑔, β„Ž).
β€’ Commitment
– Given π‘š ∈ Z𝑝 pick π‘Ÿ ← Z𝑝 and compute 𝑐 = (π‘”π‘Ÿ , β„Žπ‘Ÿ+π‘š )
β€’ The opening of the commitment is (π‘š, π‘Ÿ)
β€’ Exercise
– Argue it is perfectly binding
– Verify it is homomorphic
π‘π‘œπ‘š π‘š; π‘Ÿ β‹… π‘π‘œπ‘š π‘šβ€² ; π‘Ÿ β€² = π‘π‘œπ‘š(π‘š + π‘šβ€² ; π‘Ÿ + π‘Ÿ β€² )
Addition gates
β€’ Consider a gate saying 𝑀3 = 𝑀1 + 𝑀2
β€’ Given commitments
𝑐1 = π‘π‘œπ‘š(𝑀1 ; π‘Ÿ1 ) and 𝑐2 = π‘π‘œπ‘š 𝑀2 ; π‘Ÿ2
compute the commitment to 𝑀3 as
𝑐3 = 𝑐1 β‹… 𝑐2
which by the homomorphic property of the
commitment scheme automatically gives a
verifiable commitment to 𝑀3 = 𝑀1 + 𝑀2
Multiplication gates
β€’ Statement: 𝑐1 , 𝑐2 , 𝑐3
β€’ Prover’s witness: 𝑀1 , π‘Ÿ1 , 𝑀2 , π‘Ÿ2 , 𝑀3 , π‘Ÿ3 satisfying
𝑀3 = 𝑀1 𝑀2
𝑐1 = π‘π‘œπ‘š 𝑀1 ; π‘Ÿ1
𝑐2 = π‘π‘œπ‘š 𝑀2 ; π‘Ÿ2
𝑐3 = π‘π‘œπ‘š 𝑀3 , π‘Ÿ3
𝑑, 𝑠, 𝑑 ← Z𝑝
π‘Ž = π‘π‘œπ‘š 𝑑; 𝑠
𝑏 = π‘π‘œπ‘š(𝑀2 𝑑; 𝑑)
𝑓 = π‘₯𝑀1 + 𝑑
𝑧1 = π‘₯π‘Ÿ1 + 𝑠
𝑧2 = π‘₯π‘Ÿ3 + 𝑑 βˆ’ π‘“π‘Ÿ2
π‘Ž, 𝑏
π‘₯ ← Z𝑝
𝑓, 𝑧1 , 𝑧2
Accept if
𝑐1π‘₯ π‘Ž = π‘π‘œπ‘š 𝑓; 𝑧1
𝑓
𝑐3π‘₯ 𝑏 = 𝑐2 β‹… π‘π‘œπ‘š 0; 𝑧2
Ξ£-protocol for arithmetic circuit
Pedersen commitments
β€’ Computational special
soundness
β€’ Perfect special honest
verifier zero-knowledge
β€’ Communication
– 1 group element per
committed value
– 2 group elements and 3
field elements per
multiplication gate
– Addition gates for free
ElGamal commitments
β€’ Statistical special
soundness
β€’ Comp. special honest
verifier zero-knowledge
β€’ Communication
– 2 groups elements per
committed value
– 4 group elements and 3
field elements per
multiplication gate
– Addition gates for free
Ξ£-protocol for arithmetic circuit over 𝒁𝒑
𝑣
Prove hidden values
respect the gates
β€’ 𝑀3 = 𝑀1 + 𝑀2
β€’ 𝑣 = 𝑀2 β‹… 𝑀3
𝑀3
𝑀1
𝑀2
Communication:
O(|C|) commitments
Prover computation:
O(|C|) exponentiations
Verifier computation:
O(|C|) exponentiations
How efficient can arguments be?
β€’ Zero-knowledge proofs in general have linear or
superlinear communication in witness size
– Unless SAT-solving has sublinear complexity
β€’ Zero-knowledge arguments can have sublinear
communication
– Kilian 1992 gave a sublinear zero-knowledge argument
for NP-complete language
β€’ Commit to a probabilistically checkable proof using a hash-tree
β€’ Verifier makes queries to probabilistically checkable proof
β€’ Answer queries from verifier by revealing paths in hash-tree
Knowledge of opening of commitment to 0
β€’ Assume setup with commitment key π‘π‘˜
β€’ Relation π‘…π‘π‘˜ = 𝑐, π‘Ÿ 𝑐 = π‘π‘œπ‘š(0; π‘Ÿ)
β€’ Question
– If it is the Pedersen commitment scheme it is trivial that
there exists an opening 0, π‘Ÿ of 𝑐, so what is the
purpose of the Ξ£-protocol?
β€’ Answer
– To prove knowledge of the opening
Ξ£-protocol for commitment to 0
β€’ Relation π‘…π‘π‘˜ =
π‘Ÿ0 ← Z𝑝
𝑐0 = π‘π‘œπ‘š(0; π‘Ÿ0 )
𝑐, π‘Ÿ 𝑐 = π‘π‘œπ‘š(0; π‘Ÿ)
𝑐0
π‘₯ ← Z𝑝
𝑧 = π‘₯π‘Ÿ + π‘Ÿ0
Accept if
𝑐 π‘₯ 𝑐0 = π‘π‘œπ‘š(0; 𝑧)
𝑧
β€’ Complete: 𝑐 π‘₯ 𝑐0 = π‘π‘œπ‘š 0; π‘Ÿ π‘₯ π‘π‘œπ‘š 0; π‘Ÿ0 = π‘π‘œπ‘š(0; 𝑧)
β€’ Special soundness:
β€²
π‘₯
π‘₯
𝑐 𝑐0 = π‘π‘œπ‘š(0; 𝑧) and 𝑐 𝑐0 = π‘π‘œπ‘š(0; 𝑧 β€² )
implies 𝑐
π‘₯βˆ’π‘₯ β€²
β€²
= π‘π‘œπ‘š(0, 𝑧 βˆ’ 𝑧 ) so witness π‘Ÿ =
π‘§βˆ’π‘§ β€²
π‘₯βˆ’π‘₯ β€²
β€’ SHVZK: Given π‘₯ simulate 𝑧 ← 𝑍𝑝 ; 𝑐0 = π‘π‘œπ‘š 0; 𝑧 𝑐 βˆ’π‘₯
Batch-proof for commitments containing 0
β€’ Assume setup with commitment key π‘π‘˜
β€’ π‘…π‘π‘˜ =
𝑐1 , … , 𝑐𝑛 , (π‘Ÿ1 , … , π‘Ÿπ‘› ) 𝑐𝑖 = π‘π‘œπ‘š(0; π‘Ÿπ‘– )
Statement: 𝑐1 , … , 𝑐𝑛
π‘Ÿ0 ← Z𝑝
𝑐0 = π‘π‘œπ‘š (0; π‘Ÿ0 )
𝑐0
π‘₯ ← Z𝑝
𝑛
π‘₯𝑖
𝑧=
π‘Ÿπ‘–
𝑧
Accept if
𝑛
𝑖=0
𝑖
Communication: O(1) elements
Prover: O(n) multiplications
Verifier: O(n) exponentiations
𝑐𝑖π‘₯ = π‘π‘œπ‘š(0; 𝑧)
𝑖=0
Generalized Pedersen commitment
β€’ Commitment key: π‘π‘˜ = (𝑝, G, 𝑔, 𝑔1 , … , 𝑔𝑛 )
β€’ Commitment: Pick π‘Ÿ ← Z𝑝 and compute
𝑛
𝑐 = π‘π‘œπ‘š π‘Ž1 , … , π‘Žπ‘› ; π‘Ÿ =
π‘Žπ‘–
𝑔𝑖
π‘”π‘Ÿ
𝑖=1
β€’ Computationally binding
– Cannot find π‘Ž1 , … , π‘Žπ‘› , π‘Ÿ β‰  (𝑏1 , … , 𝑏𝑛 , π‘Ÿ) for same 𝑐
β€’ Perfectly hiding
– For all (π‘Ž1 , … , π‘Žπ‘› ) we get random group element 𝑐
Generalized Pedersen commitment
β€’ Commitment: π‘π‘œπ‘š π‘Ž1 , … , π‘Žπ‘› ; π‘Ÿ =
π‘Žπ‘–
π‘Ÿ
𝑔 βˆπ‘”π‘–
β€’ Length-reducing
– Single group element even for large vectors π‘Ž1 , … , π‘Žπ‘›
β€’ Homomorphic
π‘π‘œπ‘š π‘Ž1 , … , π‘Žπ‘› ; π‘Ÿ β‹… π‘π‘œπ‘š(𝑏1 , … , 𝑏𝑛 ; 𝑠)
= π‘π‘œπ‘š(π‘Ž1 + 𝑏1 , … , π‘Žπ‘› + 𝑏𝑛 ; π‘Ÿ + 𝑠)
β€’ Length-reducing + homomorphic
– Parallel verifiable computation on hidden data
Cost for N-gate
arithmetic circuit
β€’ Standard argument
–
–
–
–
O(N) elements
O(N) verifier expos
O(N) prover expos
3 rounds
𝑣
β€’ Batch argument
–
–
–
–
O(οƒ–N) elements
O(N) verifier mults
O(N) prover expos
7 rounds