1 / 22

Efficient Zero-Knowledge Proof Systems

Efficient Zero-Knowledge Proof Systems. Jens Groth University College London. Public coin: Random challenge, verifier does not store private information about challenge. Σ -protocols. 3-move proof systems Complete Special soundness Special honest verifier zero-knowledge. Special soundness.

kato
Download Presentation

Efficient Zero-Knowledge Proof Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient Zero-Knowledge Proof Systems Jens Groth University College London

  2. Public coin: Random challenge, verifier does not store private information about challenge Σ-protocols • 3-move proof systems • Complete • Special soundness • Special honest verifier zero-knowledge

  3. Special soundness • Given two accepting transcripts and for a statement with the same initial message , but two different challenges it is possible to compute witness such that • Exercise • Argue special soundness implies soundness

  4. Special soundness is a form of proof of knowledge • Proof of knowledge • Not just that the statement is true, but that the prover “knows” the witness • Defined through extraction • The prover “knows” the witness if we can extract the witness from the prover • Extraction through rewinding • Consider prover in the state after the initial message has been sent. Rewind it many times to this state giving it different challenges. Once we have answers to two different challenges, we can extract the witness

  5. Honest verifier zero-knowledge ZK HVZK

  6. Special honest verifier zero-knowledge • There is a simulator that given the statement and the challenge can simulate the initial message and answer such that they look like a real transcript • Typically this is done by first selecting the answer and then computing the initial message • The simulator’s advantage allowing it to make a convincing transcript like a real prover even though it does not have the witness is that it can compute the transcript in reverse order

  7. Equivalence of discrete logarithms • Assume setup describing a group of prime order with generator • Relation • Exercise: Prove it is complete, special sound and SHVZK Accept if

  8. Σ-protocol for arithmetic circuitover • Prove hidden values respect the gates Multiple Σ-protocols can be composed with each other using the same challenge

  9. Non-interactive commitment Binding Sender can only open in one way Hiding does not reveal • Key generation returns commitment key • Commitment algorithm commits to by picking randomness and computing • Opening consists of which allows recipient to check that

  10. Pedersen commitments • Key generation • Pick a group of prime order with random generators and . Key . • Commitment • Given pick and compute • The opening of the commitment is • Exercise • Argue it is perfectly hiding • Verify it is homomorphic, i.e.,

  11. ElGamal type commitments • Key generation • Pick a group of prime order with random generators and . Key . • Commitment • Given pick and compute • The opening of the commitment is • Exercise • Argue it is perfectly binding • Verify it is homomorphic

  12. Addition gates • Consider a gate saying • Given commitments and compute the commitment to aswhich by the homomorphic property of the commitment scheme automatically gives a verifiable commitment to

  13. Multiplication gates • Statement: • Prover’s witness: satisfying Accept if

  14. Σ-protocol for arithmetic circuit Pedersen commitments ElGamal commitments Statistical special soundness Comp. special honest verifier zero-knowledge Communication 2 groups elements per committed value 4 group elements and 3 field elements per multiplication gate Addition gates for free • Computational special soundness • Perfect special honest verifier zero-knowledge • Communication • 1 group element per committed value • 2 group elements and 3 field elements per multiplication gate • Addition gates for free

  15. Σ-protocol for arithmetic circuitover • Prove hidden values respect the gates Communication: O(|C|) commitments Prover computation: O(|C|) exponentiations Verifier computation: O(|C|) exponentiations

  16. How efficient can arguments be? • Zero-knowledge proofs in general have linear or superlinear communication in witness size • Unless SAT-solving has sublinear complexity • Zero-knowledge arguments can have sublinear communication • Kilian 1992 gave a sublinear zero-knowledge argument for NP-complete language • Commit to a probabilistically checkable proof using a hash-tree • Verifier makes queries to probabilistically checkable proof • Answer queries from verifier by revealing paths in hash-tree

  17. Knowledge of opening of commitment to 0 • Assume setup with commitment key • Relation • Question • If it is the Pedersen commitment scheme it is trivial that there exists an opening of , so what is the purpose of the Σ-protocol? • Answer • To prove knowledge of the opening

  18. Σ-protocol for commitment to 0 • Relation • Complete: • Special soundness: and implies so witness • SHVZK: Given simulate Accept if

  19. Batch-proof for commitments containing 0 • Assume setup with commitment key Statement: Accept if Communication: O(1) elements Prover: O(n) multiplications Verifier: O(n) exponentiations

  20. Generalized Pedersen commitment • Commitment key: • Commitment: Pick and compute • Computationally binding • Cannot find for same • Perfectly hiding • For all we get random group element

  21. Generalized Pedersen commitment • Commitment: • Length-reducing • Single group element even for large vectors • Homomorphic • Length-reducing + homomorphic • Parallel verifiable computation on hidden data

  22. Cost for N-gate arithmetic circuit • Standard argument • O(N) elements • O(N) verifier expos • O(N) prover expos • 3 rounds • Batch argument • O(N) elements • O(N) verifier mults • O(N) prover expos • 7 rounds

More Related