Efficient Zero-Knowledge Proofs - PowerPoint Presentation

Slide1

Efficient Zero-Knowledge Proofs

Jens Groth

University College London

Slide2

Zero-knowledge proof

Prover Verifier

Witness



Soundness:

Statement is true

Zero-knowledge:

Nothing but truth revealed

Statement

Slide3

Internet voting

Voter

Election authorities

Enc

pk

(vote;r)

Witness:

vote, r

Encryption:

The vote is private

Is the vote valid?

T

he vote is valid



Soundness:

The encrypted vote is valid

Zero-knowledge:

The vote remains secret

Slide4

Multi-party computation

Peggy Victor

x

y

f

(x,y)

Did you follow the protocol correctly?

I followed the protocol correctly

Soundness:

Peggy followed protocol

Zero-knowledge:

Peggy’s input remains secret

z

k proof

Slide5

Signatures

Signer

Verifier

sk = x

v

k = f(x)

I know x and m

Fiat-Shamir heuristic:

If ZK proof is public coin make it non-interactive by using hash-function to compute challenges

Sign

sk

(m)

Slide6

Statements

Statements of the form

x

LL is an NP-languageProver’s witness is w such that (x,w)  RLExamplesThe plaintext of c using public key pk is mWitness is r such that c = Encpk(m;r)The circuit C is satisfiableWitness w input to circuit such that C(w)=1

Circuit Satisfiability is an NP-complete language

Slide7

Interactive proof system for L

Efficient interactive algorithms P, V

The prover algorithm P takes as initial input a statement x and a witness w such that (

x,w)RLThe verifier algorithm V takes as initial input a statement xP and V interact and afterwards V returns a bit bb = 1 corresponds to acceptb = 0 corresponds to rejectCompleteness:Honest P on (x,w)RL always makes honest V accept

Slide8

Soundness

Soundness:

Pr[ xL and b=1]  0

Adversary

Verifier

x

L

b

Slide9

Proof or argument

Proof (statistical/perfect soundness):

(P,V) is a proof system for L if an unbounded adversary has negligible chance of convincing the verifier on a false statement

Argument (computational soundness):(P,V) is an argument system for L if a non-uniform polynomial time adversary has negligible chance of convincing the verifier on a false statement

Slide10

Zero-knowledge

Zero-knowledge:

The proof only reveals the statement is true, it does not reveal anything else

Defined by simulation:The adversary can simulate the proof without knowing the prover’s witness

x

L

x

L

Slide11

Efficiency

Parameters

Communication

Verifier computationProver computationNumber of rounds of interactionFiat-Shamir heuristic:Public coin protocol where verifier just sends random challenges.Can replace verifier with cryptographic hash-functionGives non-interactive protocol that may be verified many times.

Slide12

Our goal

Sublinear

communication

Linear computation for verifierQuasi-linear computation for proverConstant round complexityCannot leak many bits about witness. Zero-knowledge easy.Must convince verifier using less bits than the witness. Soundness hard.

Slide13

Example

Language L = {(

p,

G,G,H,U,V) | w: U=Gw,V=Hw}G is a prime order p group, G,H,U,V  G

Prover

Verifier

A=G

r

, B=H

r

x

f



wx+r

Accept if

U

x

A

=

G

f

V

x

B

=

H

f

Completeness:

U

x

A = (G

w

)

x

G

r

= Gwx+r = Gf VxB = (H

w

)

x

H

r

= H

wx+r

= H

f

So verifier accepts

Soundness:

U

x

A = (G

u

)

x

G

a

= G

ux+a

= G

f

V

x

B = (H

v

)

x

H

b

= H

vx+b

= H

f

So ux+a



vx+b, which is very unlikely for a randomly chosen x unless u = v and a = b

It is

not

zero-knowledge

I

t is special honest verifier zero-knowledge:

Given x in advance simulate by picking f at random and computing A=G

f

U

-x

, B=H

f

V

-x

A, B

f

Slide14

Batch proofs

Language L = {(

p,

G

,G,H,U1,V1,…,Un,Vn) |

w1,…,wn: U

1=Gw1,V1

=Hw1,…,Un=

Gwn,Vn=

Hwn}

Prover

Verifier

A=G

r

, B=H

r

x

f

r+w

i

x

i

Accept if

A



U

i

x

i

=

G

f

B



V

i

x

i

=

H

f

A, B

f

Soundness:

A



U

i

x

i

= G

a



(G

u

i

)

x

i

= G

a+



u

i

x

i

= G

f

B

V

i

x

i

=

H

b



(H

v

i

)

x

i

=

H

b

+

v

i

x

i

=

H

f

So

a+



u

i

x

i

 b

+

v

i

x

i

, which is very unlikely for a randomly chosen x unless

a = b

and u

i

= v

i

Slide15

Schwartz-Zippel

lemma

Given two different polynomials p(X)

q(X) in Zp[X] of degree n, the chance over random xZp that p(x)=q(x) is at most n/pIn our batch proof, the probability of a+uixi  b+vixi is at most n/p for random x unless a = b and ui

= vi

Slide16

Pedersen commitment

Commitment key

ck

= (p,G,G,H)Commit(a;r) = GaHr where rZp Opening of commitment C is (a,r) such that C=GaHrComputationally binding:Cannot find ab

, r,s such that GaHr = G

bHsPerfectly hiding:No matter what a is we get random group element C

Slide17

Generalized Pedersen commitment

Commitment key

ck

= (p,G,G1,…,Gn,H)Commit(a1,…,an;r) = HrGiai where rZp Computationally binding:Cannot find (a1,…,a

n,r)(b1,…,bn,s

) for same CPerfectly hiding:For all (a1,…,

an) we get random group element C

Slide18

Generalized Pedersen commitment

Commit(a

1

,…,an;r) = Hr Giai where rZp Length-reducing:A single group element even for large vectors (a1,…,an)Homomorphic: Commit(a1,…,an;r

)∙Commit(b1,…,bn;s)=

Commit(a1+b1,…,an+bn

;r+s)

Slide19

Identical committed matrices A=B

A

1

=commit(a1;r1) …Am=commit(am;rn) B1=commit(b1;s1) …Bm

=commit(bm;sn)

Prover

Verifier

C,D

x

f

,r,s

Accept if

CA

i

x

i

=com(

f

;r

)

D



B

i

x

i

=com(

f

;s

)

Soundness:

C



A

i

x

i

= com(

t

+



a

i

x

i

;r) = com(

f

;r)

D



B

i

x

i

=

com(

t’

+



b

i

x

i

;s)

=

com(

f

;s)

So

t

+



a

i

x

i

=

t’

+



b

i

x

i

, which is very unlikely for a randomly chosen x unless

a

i

=

b

i

and hence A=B

Completeness:

C=commit(

t

;r

0

), D=commit(

t

;s

0

)

f

=

t

+



a

i

x

i

, r

=r

0

+



r

i

x

i

,

s

=s

0

+



s

i

x

i

Slide20

Efficiency

Communication:

2m+n group and field elementsVerifier computes: 2m exponentiationsProver computes: 2mn exponentiationsRounds: 3Compare to O(mn) complexity using standard Pedersen commitments and no batching

Slide21

Circuit Satisfiability

General: NP-complete

Model: Resembles real computation

Benchmark: Widely used in ZK proofsNANDNAND

a

1

b

1

b

2

1

a

2

Slide22

Standard zero-knowledge argument for CSAT

Prove committed a

1

,a2,b1,b2{0,1}Prove committed a2=(a1b1), 1=(a2b2)Total cost for N-gate circuit:O(N) group and field elementsO(N) exponentiations for both prover and verifier

NAND

NAND

Commit(a

1

;r

1

)

Commit(b

2

;s2)Commit(b1;s1)Commit(a2;r2)Commit(1;0)

Committed a,b,c such that c=(ab)Homomorphic property gives 1-c

Multiplication proof for 1-c=abCost O(1) group and field elementsO(1) exponentiations for proverO(1) exponentiations for verifier

Committed a{0,1}

Multiplication proof for a∙a=aCost O(1) group and field elementsO(1) exponentiations for proverO(1) exponentiations for verifier

Slide23

Batch proof for Circuit Satisfiability

Commit(a

1

,a2;r), Commit(b1,b2;s)Batch proof for a1,a2,b1,b2{0,1}Batch proof for a2=(a1b1), 1=

(a2b2)Total cost for N-gate circuit:O(N) group and field elements

O(N) multiplications for both prover and verifier

NAND

NAND

a

1

a

2

b

1b2

Slide24

Batched commitment to wires of circuit

Public commitment key (p,

G

,H,G1,…,Gn)Commit to a1,…,aN, where N=mn, as A1 = Commit(a11,…,a1n;r1) … Am = Commit(am1,…,amn;rm

)Cost of committing to N=mn field elementsCommitment key has n group elementsThere are m commitmentsBatched openings contain n field elementsSetting m=n the cost is O(N) group and field elements

Slide25

Batch argument for committed wires being 0/1

Want to show

Commit(a

11,…,a1n;r1) … satisfy aij{0,1} Commit(am1,…,amn;rm)Equivalent to showing aij(aij-1)=0Define bij=aij-1 and s

i=ri and computeCommit(b11,…,b1n;s

1) = Commit(a1;r1) Commit(-1;0)

…Commit(bm1,…,bmn;s

m)=Commit(am;rm)Commit(-1;0

)Now need to show aijbij=0

Slide26

Batch product argument

Want to show

a

ijbij=0 for committed values Commit(a11,…,a1n;r1) Commit(b11,…,b1n;s1) … Commit(am1,…,amn;rm) Commit(bm1,…,bmn;sm)

Let verifier pick random y,zZpWill demonstrate 

ijyia

ijbijzj=0Schwartz-

Zippel tells us unless for all i,j: aijb

ij=0 negligible probability this is true

Slide27

Simplifying the batch product argument

Given

y,z

prover will demonstrate ijyiaijbijzj=0 for commitments Commit(ai1,…,ain;ri) Commit(bi1,…,bin

;si)Defining (u1,…,un)(v1

,…,vn)=juj

vjzj the prover’s task is to demonstrate i

yiaibi=0

Using the homomorphic property we have Commit(yi

ai;yiri

) = Commit(ai;ri)

yiThis simplifies reduces the prover’s task to show Commit(a

i’;ri’) Commit(b

i;si) contains values that satisfy iai’bi=0

Slide28

Idea behind batch ZK argument

b1 b2 b3a1 a1b1 a1b2 a1b

3a2 a2b

1 a2b2

a2b3

a3 a3b

1 a3b2

a3b3

a1

b1+

a2b

2+a3b3

Slide29

Idea behind batch ZK argument



x-1b1 + x-2b2 + x-3b3x1a1 a1b1 x-1a1

b2 x-2a1b

3 +x2a2

x1a2b1

a2b2

x-1a2b3

+x3a3 x

2a3b1 x

1a3b2

a3b3

a1b1+a2b2+a3b3

x

-1(a1

b2+a2

b3)

x

-2

(

a

1



b

3

)

x

1

(

a

2



b

1

+

a

3b2)

x2(a3



b

1

)

Slide30

Main part of the batch product argument

Given commitments and weighted inner product 

Commit(a1;r1) Commit(b1;s1) … … Commit(am;rm) Commit(

bm;sm) show they contain values that satisfy 

iaibi=0Prover sends commitments C

-m,…,C-1,C1,…,Cm

Ck = Commit(ck;tk

) ck=i-j=k a

ibjVerifier sends random challenge x

Zp*Prover gives zero-knowledge argument for (

xiai)(x

-jbj) = x

kck Use homomorphic properties to compute A = Aixi = Commit(xiai;xiri)

B = Bjx-j

= Commit(x-jbj

;x-jsj) C = C

kxk = Commit(xkc

k

;



x

k

t

k

)

The final ZK argument costs O(n) field elements and O(n) exponentiations for prover and verifier

Soundness:

Look at coefficient for x

0

. The equation gives



i-j=0

x

i-j

aibj = iaibi = c0 = 0By the Schwartz-Zippel lemma negligible probability over x for this being true unless 

iaibi = 0 as we wanted to show

Slide31

Total batch proof

Goal: Prove N=

mn

committed aij{0,1}Method: aijbij=0 where bij=aij-1Verifier sends challenges y,zProver sends C-m,…,C-1,C1,…,Cm

Verifier sends challenge xProver argues A,B,C contains aj,bj,c

j such that ajbj

=cjCost:Communicates O(

m+n) group and field elementsVerifier uses O(m+n) exponentiations

Slide32

Prover’s computation

b

1 b2 b3

a1 a1

b1 a1b

2 a1b3

a2 a2

b1 a2b2 a

2b3

a3 a3b1 a

3b2 a3

b3a1b2+a2b3a

1b3

a2

b1+a3

b2a

3



b

1

Naively m

2

n multiplications

Instead evaluate in 2m points



1

,...,



2m

and use polynomial interpolation to find coefficients of (



a

i



i

)(bj-j) =

c

k



k

Using FFT to evaluate 

a

i



i

and



b

j



-

j

the cost is O(N log m)

Slide33

Batch proof for Circuit Satisfiability

Commit(a

1

,a2;r), Commit(b1,b2;s)Batch proof for a1,a2,b1,b2{0,1}Batch proof for a2=(a1b1), 1=

(a2b2)Batch wire consistency proof

NAND

NAND

a

1

a

2

b

1

b2

Slide34

Wire consistency (sketch)

Committed outputs of gates

a

i matching inputs bi to other gates in circuitGiven permutation  defined by circuit wiring prover wants to show bi = a(i)Verifier picks random challenge xProver demonstrates xibi = x(i)a(i)Cost:

Communication: O(m+n) elementsVerifier computation: O(N) multiplicationsProver computation: O(N log N) multiplications

Slide35

Cost for N-gate circuit

Standard argument

O(N) elements

O(N) verifier exposO(N) prover expos3 roundsBatch argumentO(N) elementsO(N) verifier multsO(N log N) prover mults5 rounds

Slide36

Further developments

Can they be even more efficient?

Yes, pairing-based techniques gives us communication of O(N

1/3) elementsCan they be combined with group elements?Yes

Slide37

Efficient ZK arguments over fields & groups

Can do addition using homomorphic properties

Can use our techniques to show multiplicative relationship between committed values

Gives us linear algebra over committed elementsFor instance committed matrices satisfy AB=CStatements involving group elements and exponentiationsFor instance C=ijAijbij

Slide38

Intuition

x

-1

b

1 + x-2b2 + x-3b

3A1x1

A1b1

A1x-1b2

A1x-2b3

∙A2x

2 A2x1b

1 A2b2

A2x-1b

3 ∙A3x3 A3x2b1 A3x1b2 A3b3

A1x-2b3

A

1x-1b2∙A2

x

-1

b

3

A

2

x

1

b

1

∙

A

3

x

1

b

2

A1b1∙A2b2 ∙A3b3 A3x2b1

Slide39

Application to mix-nets

m

π

(1)

m

π(2)

m

π

(N)

…

π

1

π

2

π

=

π

1π2

m

1

m

2

m

N

Threshold decryption

Slide40

Problem: Corrupt mix-server

m

π

(1)

m

π

(2)

m´

π

(N)

…

π

1

π

2

π

=

π1



π

2

m

1

m

2

m

N

Threshold decryption

Slide41

Mix-server gets input ciphertexts c

1

,…,

cNPermutes and rerandomizes ciphertexts c1’=c(1)∙(Gr1,Hr1), …, cN’=c(N)∙(GrN,HrN)Zero-knowledge argument for correct shuffle

Joint work with Stephanie Bayer, UCLCommunication: 16N elementsVerifier computation: 4N exponentiationsProver computation: O(N log N) exponentiationsRounds: 9

ElGamal shuffle

Statement (c1,c1

’,...,cN,cN’) can be huge.For instance election with 100,000 voters.

Experimental results for N=100,000

N=mn, where m=16, |p|=1024, |q|=160Communication: 2.5 MBVerifier computation: 52 seconds

Prover computation: 135 seconds

Slide42

Vision

Z

ero-knowledge proofs should be the cheapest component in cryptographic protocols

Something you can just throw in automatically without significant overheadThank you!