Jens Groth University College London Zeroknowledge proof Prover Verifier Witness Soundness Statement is true Zeroknowledge Nothing but truth revealed Statement Internet voting ID: 800294
Download The PPT/PDF document "Efficient Zero-Knowledge Proofs" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Efficient Zero-Knowledge Proofs
Jens Groth
University College London
Slide2Zero-knowledge proof
Prover Verifier
Witness
Soundness:
Statement is true
Zero-knowledge:
Nothing but truth revealed
Statement
Slide3Internet voting
Voter
Election authorities
Enc
pk
(vote;r)
Witness:
vote, r
Encryption:
The vote is private
Is the vote valid?
T
he vote is valid
Soundness:
The encrypted vote is valid
Zero-knowledge:
The vote remains secret
Slide4Multi-party computation
Peggy Victor
x
y
f
(x,y)
Did you follow the protocol correctly?
I followed the protocol correctly
Soundness:
Peggy followed protocol
Zero-knowledge:
Peggy’s input remains secret
z
k proof
Slide5Signatures
Signer
Verifier
sk = x
v
k = f(x)
I know x and m
Fiat-Shamir heuristic:
If ZK proof is public coin make it non-interactive by using hash-function to compute challenges
Sign
sk
(m)
Slide6Statements
Statements of the form
x
LL is an NP-languageProver’s witness is w such that (x,w) RLExamplesThe plaintext of c using public key pk is mWitness is r such that c = Encpk(m;r)The circuit C is satisfiableWitness w input to circuit such that C(w)=1
Circuit Satisfiability is an NP-complete language
Slide7Interactive proof system for L
Efficient interactive algorithms P, V
The prover algorithm P takes as initial input a statement x and a witness w such that (
x,w)RLThe verifier algorithm V takes as initial input a statement xP and V interact and afterwards V returns a bit bb = 1 corresponds to acceptb = 0 corresponds to rejectCompleteness:Honest P on (x,w)RL always makes honest V accept
Slide8Soundness
Soundness:
Pr[ xL and b=1] 0
Adversary
Verifier
x
L
b
Proof or argument
Proof (statistical/perfect soundness):
(P,V) is a proof system for L if an unbounded adversary has negligible chance of convincing the verifier on a false statement
Argument (computational soundness):(P,V) is an argument system for L if a non-uniform polynomial time adversary has negligible chance of convincing the verifier on a false statement
Slide10Zero-knowledge
Zero-knowledge:
The proof only reveals the statement is true, it does not reveal anything else
Defined by simulation:The adversary can simulate the proof without knowing the prover’s witness
x
L
x
L
Slide11Efficiency
Parameters
Communication
Verifier computationProver computationNumber of rounds of interactionFiat-Shamir heuristic:Public coin protocol where verifier just sends random challenges.Can replace verifier with cryptographic hash-functionGives non-interactive protocol that may be verified many times.
Slide12Our goal
Sublinear
communication
Linear computation for verifierQuasi-linear computation for proverConstant round complexityCannot leak many bits about witness. Zero-knowledge easy.Must convince verifier using less bits than the witness. Soundness hard.
Slide13Example
Language L = {(
p,
G,G,H,U,V) | w: U=Gw,V=Hw}G is a prime order p group, G,H,U,V G
Prover
Verifier
A=G
r
, B=H
r
x
f
wx+r
Accept if
U
x
A
=
G
f
V
x
B
=
H
f
Completeness:
U
x
A = (G
w
)
x
G
r
= Gwx+r = Gf VxB = (H
w
)
x
H
r
= H
wx+r
= H
f
So verifier accepts
Soundness:
U
x
A = (G
u
)
x
G
a
= G
ux+a
= G
f
V
x
B = (H
v
)
x
H
b
= H
vx+b
= H
f
So ux+a
vx+b, which is very unlikely for a randomly chosen x unless u = v and a = b
It is
not
zero-knowledge
I
t is special honest verifier zero-knowledge:
Given x in advance simulate by picking f at random and computing A=G
f
U
-x
, B=H
f
V
-x
A, B
f
Slide14Batch proofs
Language L = {(
p,
G
,G,H,U1,V1,…,Un,Vn) |
w1,…,wn: U
1=Gw1,V1
=Hw1,…,Un=
Gwn,Vn=
Hwn}
Prover
Verifier
A=G
r
, B=H
r
x
f
r+w
i
x
i
Accept if
A
U
i
x
i
=
G
f
B
V
i
x
i
=
H
f
A, B
f
Soundness:
A
U
i
x
i
= G
a
(G
u
i
)
x
i
= G
a+
u
i
x
i
= G
f
B
V
i
x
i
=
H
b
(H
v
i
)
x
i
=
H
b
+
v
i
x
i
=
H
f
So
a+
u
i
x
i
b
+
v
i
x
i
, which is very unlikely for a randomly chosen x unless
a = b
and u
i
= v
i
Slide15Schwartz-Zippel
lemma
Given two different polynomials p(X)
q(X) in Zp[X] of degree n, the chance over random xZp that p(x)=q(x) is at most n/pIn our batch proof, the probability of a+uixi b+vixi is at most n/p for random x unless a = b and ui
= vi
Slide16Pedersen commitment
Commitment key
ck
= (p,G,G,H)Commit(a;r) = GaHr where rZp Opening of commitment C is (a,r) such that C=GaHrComputationally binding:Cannot find ab
, r,s such that GaHr = G
bHsPerfectly hiding:No matter what a is we get random group element C
Slide17Generalized Pedersen commitment
Commitment key
ck
= (p,G,G1,…,Gn,H)Commit(a1,…,an;r) = HrGiai where rZp Computationally binding:Cannot find (a1,…,a
n,r)(b1,…,bn,s
) for same CPerfectly hiding:For all (a1,…,
an) we get random group element C
Slide18Generalized Pedersen commitment
Commit(a
1
,…,an;r) = Hr Giai where rZp Length-reducing:A single group element even for large vectors (a1,…,an)Homomorphic: Commit(a1,…,an;r
)∙Commit(b1,…,bn;s)=
Commit(a1+b1,…,an+bn
;r+s)
Slide19Identical committed matrices A=B
A
1
=commit(a1;r1) …Am=commit(am;rn) B1=commit(b1;s1) …Bm
=commit(bm;sn)
Prover
Verifier
C,D
x
f
,r,s
Accept if
CA
i
x
i
=com(
f
;r
)
D
B
i
x
i
=com(
f
;s
)
Soundness:
C
A
i
x
i
= com(
t
+
a
i
x
i
;r) = com(
f
;r)
D
B
i
x
i
=
com(
t’
+
b
i
x
i
;s)
=
com(
f
;s)
So
t
+
a
i
x
i
=
t’
+
b
i
x
i
, which is very unlikely for a randomly chosen x unless
a
i
=
b
i
and hence A=B
Completeness:
C=commit(
t
;r
0
), D=commit(
t
;s
0
)
f
=
t
+
a
i
x
i
, r
=r
0
+
r
i
x
i
,
s
=s
0
+
s
i
x
i
Efficiency
Communication:
2m+n group and field elementsVerifier computes: 2m exponentiationsProver computes: 2mn exponentiationsRounds: 3Compare to O(mn) complexity using standard Pedersen commitments and no batching
Slide21Circuit Satisfiability
General: NP-complete
Model: Resembles real computation
Benchmark: Widely used in ZK proofsNANDNAND
a
1
b
1
b
2
1
a
2
Slide22Standard zero-knowledge argument for CSAT
Prove committed a
1
,a2,b1,b2{0,1}Prove committed a2=(a1b1), 1=(a2b2)Total cost for N-gate circuit:O(N) group and field elementsO(N) exponentiations for both prover and verifier
NAND
NAND
Commit(a
1
;r
1
)
Commit(b
2
;s2)Commit(b1;s1)Commit(a2;r2)Commit(1;0)
Committed a,b,c such that c=(ab)Homomorphic property gives 1-c
Multiplication proof for 1-c=abCost O(1) group and field elementsO(1) exponentiations for proverO(1) exponentiations for verifier
Committed a{0,1}
Multiplication proof for a∙a=aCost O(1) group and field elementsO(1) exponentiations for proverO(1) exponentiations for verifier
Slide23Batch proof for Circuit Satisfiability
Commit(a
1
,a2;r), Commit(b1,b2;s)Batch proof for a1,a2,b1,b2{0,1}Batch proof for a2=(a1b1), 1=
(a2b2)Total cost for N-gate circuit:O(N) group and field elements
O(N) multiplications for both prover and verifier
NAND
NAND
a
1
a
2
b
1b2
Slide24Batched commitment to wires of circuit
Public commitment key (p,
G
,H,G1,…,Gn)Commit to a1,…,aN, where N=mn, as A1 = Commit(a11,…,a1n;r1) … Am = Commit(am1,…,amn;rm
)Cost of committing to N=mn field elementsCommitment key has n group elementsThere are m commitmentsBatched openings contain n field elementsSetting m=n the cost is O(N) group and field elements
Slide25Batch argument for committed wires being 0/1
Want to show
Commit(a
11,…,a1n;r1) … satisfy aij{0,1} Commit(am1,…,amn;rm)Equivalent to showing aij(aij-1)=0Define bij=aij-1 and s
i=ri and computeCommit(b11,…,b1n;s
1) = Commit(a1;r1) Commit(-1;0)
…Commit(bm1,…,bmn;s
m)=Commit(am;rm)Commit(-1;0
)Now need to show aijbij=0
Slide26Batch product argument
Want to show
a
ijbij=0 for committed values Commit(a11,…,a1n;r1) Commit(b11,…,b1n;s1) … Commit(am1,…,amn;rm) Commit(bm1,…,bmn;sm)
Let verifier pick random y,zZpWill demonstrate
ijyia
ijbijzj=0Schwartz-
Zippel tells us unless for all i,j: aijb
ij=0 negligible probability this is true
Slide27Simplifying the batch product argument
Given
y,z
prover will demonstrate ijyiaijbijzj=0 for commitments Commit(ai1,…,ain;ri) Commit(bi1,…,bin
;si)Defining (u1,…,un)(v1
,…,vn)=juj
vjzj the prover’s task is to demonstrate i
yiaibi=0
Using the homomorphic property we have Commit(yi
ai;yiri
) = Commit(ai;ri)
yiThis simplifies reduces the prover’s task to show Commit(a
i’;ri’) Commit(b
i;si) contains values that satisfy iai’bi=0
Slide28Idea behind batch ZK argument
b1 b2 b3a1 a1b1 a1b2 a1b
3a2 a2b
1 a2b2
a2b3
a3 a3b
1 a3b2
a3b3
a1
b1+
a2b
2+a3b3
Slide29Idea behind batch ZK argument
x-1b1 + x-2b2 + x-3b3x1a1 a1b1 x-1a1
b2 x-2a1b
3 +x2a2
x1a2b1
a2b2
x-1a2b3
+x3a3 x
2a3b1 x
1a3b2
a3b3
a1b1+a2b2+a3b3
x
-1(a1
b2+a2
b3)
x
-2
(
a
1
b
3
)
x
1
(
a
2
b
1
+
a
3b2)
x2(a3
b
1
)
Slide30Main part of the batch product argument
Given commitments and weighted inner product
Commit(a1;r1) Commit(b1;s1) … … Commit(am;rm) Commit(
bm;sm) show they contain values that satisfy
iaibi=0Prover sends commitments C
-m,…,C-1,C1,…,Cm
Ck = Commit(ck;tk
) ck=i-j=k a
ibjVerifier sends random challenge x
Zp*Prover gives zero-knowledge argument for (
xiai)(x
-jbj) = x
kck Use homomorphic properties to compute A = Aixi = Commit(xiai;xiri)
B = Bjx-j
= Commit(x-jbj
;x-jsj) C = C
kxk = Commit(xkc
k
;
x
k
t
k
)
The final ZK argument costs O(n) field elements and O(n) exponentiations for prover and verifier
Soundness:
Look at coefficient for x
0
. The equation gives
i-j=0
x
i-j
aibj = iaibi = c0 = 0By the Schwartz-Zippel lemma negligible probability over x for this being true unless
iaibi = 0 as we wanted to show
Slide31Total batch proof
Goal: Prove N=
mn
committed aij{0,1}Method: aijbij=0 where bij=aij-1Verifier sends challenges y,zProver sends C-m,…,C-1,C1,…,Cm
Verifier sends challenge xProver argues A,B,C contains aj,bj,c
j such that ajbj
=cjCost:Communicates O(
m+n) group and field elementsVerifier uses O(m+n) exponentiations
Slide32Prover’s computation
b
1 b2 b3
a1 a1
b1 a1b
2 a1b3
a2 a2
b1 a2b2 a
2b3
a3 a3b1 a
3b2 a3
b3a1b2+a2b3a
1b3
a2
b1+a3
b2a
3
b
1
Naively m
2
n multiplications
Instead evaluate in 2m points
1
,...,
2m
and use polynomial interpolation to find coefficients of (
a
i
i
)(bj-j) =
c
k
k
Using FFT to evaluate
a
i
i
and
b
j
-
j
the cost is O(N log m)
Slide33Batch proof for Circuit Satisfiability
Commit(a
1
,a2;r), Commit(b1,b2;s)Batch proof for a1,a2,b1,b2{0,1}Batch proof for a2=(a1b1), 1=
(a2b2)Batch wire consistency proof
NAND
NAND
a
1
a
2
b
1
b2
Slide34Wire consistency (sketch)
Committed outputs of gates
a
i matching inputs bi to other gates in circuitGiven permutation defined by circuit wiring prover wants to show bi = a(i)Verifier picks random challenge xProver demonstrates xibi = x(i)a(i)Cost:
Communication: O(m+n) elementsVerifier computation: O(N) multiplicationsProver computation: O(N log N) multiplications
Slide35Cost for N-gate circuit
Standard argument
O(N) elements
O(N) verifier exposO(N) prover expos3 roundsBatch argumentO(N) elementsO(N) verifier multsO(N log N) prover mults5 rounds
Slide36Further developments
Can they be even more efficient?
Yes, pairing-based techniques gives us communication of O(N
1/3) elementsCan they be combined with group elements?Yes
Slide37Efficient ZK arguments over fields & groups
Can do addition using homomorphic properties
Can use our techniques to show multiplicative relationship between committed values
Gives us linear algebra over committed elementsFor instance committed matrices satisfy AB=CStatements involving group elements and exponentiationsFor instance C=ijAijbij
Slide38Intuition
x
-1
b
1 + x-2b2 + x-3b
3A1x1
A1b1
A1x-1b2
A1x-2b3
∙A2x
2 A2x1b
1 A2b2
A2x-1b
3 ∙A3x3 A3x2b1 A3x1b2 A3b3
A1x-2b3
A
1x-1b2∙A2
x
-1
b
3
A
2
x
1
b
1
∙
A
3
x
1
b
2
A1b1∙A2b2 ∙A3b3 A3x2b1
Slide39Application to mix-nets
m
π
(1)
m
π(2)
m
π
(N)
…
π
1
π
2
π
=
π
1π2
m
1
m
2
m
N
Threshold decryption
Slide40Problem: Corrupt mix-server
m
π
(1)
m
π
(2)
m´
π
(N)
…
π
1
π
2
π
=
π1
π
2
m
1
m
2
m
N
Threshold decryption
Slide41Mix-server gets input ciphertexts c
1
,…,
cNPermutes and rerandomizes ciphertexts c1’=c(1)∙(Gr1,Hr1), …, cN’=c(N)∙(GrN,HrN)Zero-knowledge argument for correct shuffle
Joint work with Stephanie Bayer, UCLCommunication: 16N elementsVerifier computation: 4N exponentiationsProver computation: O(N log N) exponentiationsRounds: 9
ElGamal shuffle
Statement (c1,c1
’,...,cN,cN’) can be huge.For instance election with 100,000 voters.
Experimental results for N=100,000
N=mn, where m=16, |p|=1024, |q|=160Communication: 2.5 MBVerifier computation: 52 seconds
Prover computation: 135 seconds
Slide42Vision
Z
ero-knowledge proofs should be the cheapest component in cryptographic protocols
Something you can just throw in automatically without significant overheadThank you!