Sasson Alessandro Chiesa Eran Tromer and Madars Virza USENIX Security Symposium 2014 Succinct NonInteractive Zero Knowledge for a von Neumann Architecture 1 Outline ID: 509809
Download Presentation The PPT/PDF document "Eli Ben-" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Eli Ben-Sasson, Alessandro Chiesa, Eran Tromer and Madars VirzaUSENIX Security Symposium 2014
Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture
1Slide2
OutlineWarm-up exampleProblem definitionContribution EvaluationComparisonQuestion time
2Slide3
What is zero knowledge proofInteractive zero knowledge prooftheoretical systems where a first party ('Prover') exchanges messages with a second party ('Verifier') to convince the Verifier that some mathematical statement is true.PropertiesCompleteness: honest
prover can convince the verifierSoundness: no cheating prover can convince the verifierZero-knowledge: no cheating verifier learns anything other than the fact that the fact is true/false
3Slide4
ExampleAT&T want to assign frequency optimally across base stationsSeeking help from GoogleNo pay until knowing them have the coloringNo solution until they are paid up
4Slide5
Solve the dilemmaZero knowledge proofAT&T place empty chart in the room and leaveGoogle walk in, shuffle the pens, color and cover node by hatsAT&T walk in, challenge one of the edgesRepeat until confidence is high enough
5Slide6
Non-interactive zero knowledge proofProblem with interactive solutionNo conversation, no proofCannot maintain conversation with many verifiersDesired propertiesSolution and proof achieved in one pass
6Slide7
Non-interactive solutionLet Google prepare a sequence of color pairsTrivial to cheat: modifying the coloring whenever adjacent nodes conflictAn extra mile – no control over the edge sequenceSolutionTake all the commitments from proof iterations, join them into a batch
Compute the hash of the batch, and treat the hash as if it was a sequence of integers
hash
7Slide8
Problem definition Security problemA client owns a public input xA server owns private input DBClient wishes to learn z = A(x,DB) for problem A known to both parties
Integrity vs. confidentiality
8Slide9
More than thatUniversality“hash” function for all kinds of problemsEfficiencyInterfacing problem to a universal settingConduct efficient proving & verfication
9Slide10
General Solution10Slide11
General Solution11Slide12
Circuit generationLimitation of prior workPer program key generationLimited support to high level languageProposalOne setting for all problemPython?
A mini von Neumann architecture: vnTinyMem
12Slide13
Circuit generationGoalValidity of instruction fetchValidity of instruction executionValidity of memory access
13Slide14
Circuit generationApproachCPU operation states (registers S and instruction I) Trace = (S1, I1, … ST, IT
)Non-deterministic rounting
14Slide15
SNARK for circuitTailored implementation of underlying componentsFinite-field arithmetic, elliptic-curve group arithmetic, pairing-based checks, and so onPerformance
15Slide16
EvaluationCircuit generatorAdditive dependence of program sizeMost gates dedicated to check execution
16Slide17
EvaluationSNARKLow time consumption per gateSmall proof/key size
17Slide18
ComparisonPinocchio: Nearly Practical Verifiable ComputationSimilar proof tool chain workflowConstant proof sizeCircuit generation: program analysisRestrict loop iteration bounds and memory accesses to be known at compile
timeGood for circuit-like routinesBad for memory intensive programs
18Slide19
ComparisonPantry: Verifying computations with stateRe-implemented protocol in “Pinocchio”, allow data dependent memory accessExtend verifiable map-reduce frameworkGate consumption is high for memory accessesAlso rely on program analysis
19Slide20
ComparisonTRUESET: Faster Verifiable Set ComputationsMixture arithmetic gates and set gatesSpecialized in set operation (SQL subset)Intersection, union and set differenceInput specific runtime
20Slide21
Thank youQuestion & answer21