CS1952 L Spring 2019 Maurice Herlihy Brown University Privacy Coins Zero Knowledge Proofs I know how to solve a puzzle Without revealing that solution I want to prove to you I know a solution ID: 769667
Download Presentation The PPT/PDF document "CS1952 L Spring 2019" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
CS1952 L Spring 2019 Maurice HerlihyBrown University Privacy Coins
Zero Knowledge Proofs ‹#› I know how to solve a puzzle …Without revealing that solution! I want to prove to you I know a solution
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 Sudoku 9 X 9 array of cards Some face-up Some face-down Challenge: Identify face-down!
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 Sudoku Rules Each row has …
‹#› 1 5 7 1 6 8 2 3 7 5 8 6 2 9 4 1 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 Sudoku Rules Each row has … Each digit once
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 Sudoku Rules Each column has …
‹#› 2 1 5 7 1 9 6 8 2 3 7 8 6 4 9 8 4 5 6 7 6 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 Sudoku Rules Each digit once Each column has …
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 Sudoku Rules Each square has …
‹#› 1 5 9 7 1 6 3 7 4 8 2 3 8 6 2 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 Sudoku Rules Each digit once Each square has …
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 Hi, I’m Victoria (the verifier) Hi, I’m Peter (the prover)
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 I will pay you for a solution to this puzzle I know a solution!
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 Show me, and I’ll pay Pay me, and I’ll show
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 I will prove I know a solution without revealing anything about it !
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 Here are my predictions …
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 Pick rows, column, or square I randomly challenge your rows!
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 1 3 9 7 3 4 1 5 6 4 2 7 1 8 4 7 5 6 8 3 8 6 1 7 8 5 3 2 7 2 4 6 7 4 9 8 Row! Collect cards per-row
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 shuffle shuffle shuffle shuffle shuffle shuffle shuffle shuffle shuffle
‹#› OMG! They’re all 1..9 1 5 7 8 9 1 6 8 2 9 3 8 6 4 9 9 4 5 6 7 9 4 7 8 3 9 7 3 2 6 4 9 4 8 1 9 9 1 7 2 8 9 5 3 7 9 Told you!
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 I don’t actually know a solution, but I predict Victoria will challenge my rows Rewind, Reload
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 2 3 4 1 5 6 8 7 9 1 2 6 3 4 5 8 2 7 3 1 2 8 6 5 7 4 8 9 1 2 4 3 8 5 6 7 1 2 4 7 5 8 3 6 9 7 3 2 1 5 6 8 9 4 2 4 3 4 8 1 5 6 9 3 1 7 4 5 6 2 9 8 1 5 2 4 3 7 6 8 9 Fill in rows (easy) and don’t bother with columns and squares …
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 1 3 9 7 3 4 1 5 6 4 2 7 1 8 4 7 5 6 8 3 8 6 1 7 8 5 3 2 7 2 4 6 7 4 9 8 Row! Bingo!
‹#› OMG! They’re all 1..9 1 5 7 8 9 1 6 8 2 9 3 8 6 4 9 9 4 5 6 7 9 4 7 8 3 9 7 3 2 6 4 9 4 8 1 9 9 1 7 2 8 9 5 3 7 9 (Evil laugh) But I learned nothing about the solution
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 Each time I cheat, I get away with it with probability 1/3 Repeat challenge multiple times
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 2 3 4 1 5 6 8 7 9 1 2 6 3 4 5 8 2 7 3 1 2 8 6 5 7 4 8 9 1 2 4 3 8 5 6 7 1 2 4 7 5 8 3 6 9 7 3 2 1 5 6 8 9 4 2 4 3 4 8 1 5 6 9 3 1 7 4 5 6 2 9 8 1 5 2 4 3 7 6 8 9 I don’t know solution, But I guess Victoria will pick “row”
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 1 3 9 7 3 4 1 5 6 4 2 7 1 8 4 7 5 6 8 3 8 6 1 7 8 5 3 2 7 2 4 6 7 4 9 8 Column! Damn!
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 (busted) 9 8 7 8 8 9 7 9 9 Wait, what? These cards don’t add up!
‹#› 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 1 5 7 1 6 8 2 3 8 6 4 9 4 5 6 7 4 7 8 3 7 3 2 6 4 4 8 1 9 1 7 2 8 5 3 7 Probability of fooling Victoria is 1/3 k After k successful challenges…
Accumulators ‹#› A data structure that lets you …Without revealing anything else about the set! Query whether an item is in a set
Accumulators ‹#› A(x) easy to compute Given a set X : Membership test A(x) A ( ) = true A( ) = false Hard to recover X from A
Accumulator Example ‹#› Hard to tell which other primes are factorsProduct of large primes: p 1 x p 2 y p 3 z … Easy to check whether prime p is a factor
Commitment ‹#› I pick a value nowLater I want to prove I picked that value then
Commitment ‹#› Hi, I’m Alice Bob here
Commitment ‹#› We have a dispute! Let’s settle by flipping a coin
Commitment ‹#› I’ll call, you flip How does that work?
Commitment ‹#›
Commitment ‹#› I call heads I can’t see that call
Commitment ‹#› Put call in box …
Commitment ‹#› Lock that box …
Commitment ‹#›
Commitment ‹#› I flipped tails
Commitment ‹#› I flipped tails I called heads
Commitment ‹#› I won I lost
Making Zerocoin ‹#› Zerocoin: mixing is “baked in”Publishing on blockchain costs 1 BTC They have value once on blockchain
Zerocoin ‹#› Mixing is “baked in” to protocolDon’t need to trust other players Advantage: only trust crypto Not as efficient as Bitcoin But more efficient than you might think
Zerocoin ‹#› Zerocoin lives with BTC-like basecoinConvertible: like USD and poker chips But basecoin not quite compatible with BTC Conversion breaks link
Zerocoin ‹#› I owned a Basecoin Then I burned it That proof is redeemable for a new Basecoin I have a proof I burned it
Bitcoin & Zerocoin Transaction Graphs ‹#›
Tricky Part ‹#› How to prove I burned a Basecoin?How to prevent double-spending proof?
Minting a Zerocoin ‹#› Pick random secret r (never released) Pick long random serial # S for new zerocoin Create commitment C = hash(S,r) (assume single denomination)
Minting a Zerocoin ‹#› Anyone can mint a ZerocoinHas value only on blockchain By itself, Zerocoin is worthless That will cost you one Basecoin
‹#› Mint TxnSigned by AliceInput: 1 Basecoin Output: Hash(S,r) I just burned 1 BTC to create a Zerocoin BTC-like Blockchain
‹#› Mint TxnSigned by Alice Input: 1 Basecoin Output: Hash(S,r) I want to spend my Zerocoin Reveal S so no double-spending ZK proof that “I know some r such that H(s,r) is on the chain” Pick any Zerocoin as input
‹#› Mint TxnSigned by Alice Input: 1 Basecoin Output: Hash(S,r) Spend Txn Serial: S ZK-Proof Input: 1 Basecoin Output: Bob Make sure S not spent earlier
How is this Anonymous? ‹#› … Without r , cannot tell which is hash(S,r) h 1 h 2 h K
Efficiency ‹#› I know r such that or H(S,r) = h 1 Large statement O(# coins) H(S,r) = h 2 H(S,r) = h K … or or But proof is O(log # coins) size!
Zerocash ‹#› Successor to Zerocoin Also, more efficient crypto Zerocoin without Basecoin
Zerocash: untraceable ‹#› All txns are zerocoins only Transaction value hidden Splitting & merging hidden Ledger records transaction existence only No amounts means fewer side-channel
What’s the Catch? ‹#› Public parameters generated by … Those inputs must be destroyed! Random secret inputs (gigabyte size) Anyone who knows can counterfeit coins Undetectably
Initialization “Ceremony” ‹#› Different people create parts of parameters OK if even one person destroys Must destroy inputs without revealing If all collude, undetectable counterfeiting And maybe also privacy compromised
Initialization “Ceremony” ‹#› 6 participants, undisclosed locations Input: write-once DVDs “air gapped” computers generate pieces Message hashes published on Secure Linux kernel … Bought new, removed wifi, Bluetooth Permanent record of inputs Twitter, BTC blockchain
Privacy Options ‹#› TypeAttacksstatus Bitcoin Pseudonymous Txn graph analysis default Single mix Mix Txn graph analysis, bad mixers Available BTC Mix chain (centralized or not) Mix Side channels, bad mixers Available BTC Zerocoin Crypto mix Side channels maybe AltcoinZerocash UntraceableNone known Tricky setup
‹#› Ideas we covered in this lecture Ethereum Mixer Contract Dusting Attack AML / KYC Anonymity vs Pseudnymity Mixers, central, P2P, best practices Linkability: heuristics, side-channels, etc.