210 likes | 348 Views
Linear Algebra with Sub-linear Zero-Knowledge Arguments. Jens Groth University College London. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A A A A A A A A. Motivation . Why does Victor want to know my password, bank statement, etc.?.
E N D
Linear Algebra with Sub-linear Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA
Motivation Why does Victor want to know my password, bank statement, etc.? Did Peggy honestly follow the protocol? No! Show me all your inputs! Peggy Victor
Zero-knowledge argument Statement Zero-knowledge:Nothing but truth revealed Witness Soundness:Statement is true Prover Verifier
Statements • Mathematical theorem: 2+2=4 • Identification: I am me! • Verification: I followed the protocol correctly. • Anything: X belongs to NP-language L
Our contribution • Perfect completeness • Perfect (honest verifier) zero-knowledge • Computational soundness • Discrete logarithm problem • Efficient
Which NP-language L? Circuit Satisfiability! Anonymous Proxy Group Voting! George theGeneralist Sarah theSpecialist
Linear algebra Great, it is NP-complete If I store votes as vectors and add them... George theGeneralist Sarah theSpecialist
Levels of statements Circuit satisfiability Known
Reduction 1 Circuit satisfiability See paper
Reduction 2 Example:
Reduction 3 commit Peggy Victor
Pedersen commitment • Computationally binding • Discrete logarithm hard • Perfectly hiding • Only 1 group element to commit to n elements • Only n group elements to commit to n rows of matrix Computational soundness Perfect zero-knowledge Sub-linear size
Pedersen commitment • Homomorphic • So
Example of reduction 3 commit
Reduction 4 commit
Example of reduction 4 Soundness: For the sm parts to match for random s it must be that • Statement: Commitments to • Peggy → Victor: Commits to diagonal sums • Peggy ← Victor: Challenge • New statement:
Reducing prover’s computation • Computing diagonal sums requires ω(mn) multiplications • With 2log m rounds prover only uses O(mn) multiplications
Basic step Known