Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
-
Upload
julianna-strickland -
Category
Documents
-
view
213 -
download
0
Transcript of Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Zero-Knowledge Proof Systems
Jens Groth
University College London
• 3-move proof systems
• Complete• Special soundness• Special honest verifier zero-knowledge
𝑧𝑐← {0,1 }𝜆
Σ-protocols
𝑎
Public coin: Random challenge, verifier does not store private information about challenge
Special soundness
• Given two accepting transcripts and for a statement with the same initial message , but two different challenges it is possible to compute witness such that
• Exercise– Argue special soundness implies soundness
Special soundness is a form of proof of knowledge
• Proof of knowledge– Not just that the statement is true, but that the prover
“knows” the witness
• Defined through extraction– The prover “knows” the witness if we can extract the
witness from the prover
• Extraction through rewinding– Consider prover in the state after the initial message
has been sent. Rewind it many times to this state giving it different challenges. Once we have answers to two different challenges, we can extract the witness
Honest verifier zero-knowledge
ZK
HVZK
Special honest verifier zero-knowledge
• There is a simulator that given the statement and the challenge can simulate the initial message and answer such that they look like a real transcript– Typically this is done by first selecting the answer and
then computing the initial message – The simulator’s advantage allowing it to make a
convincing transcript like a real prover even though it does not have the witness is that it can compute the transcript in reverse order
Equivalence of discrete logarithms
• Assume setup describing a group of prime order with generator
• Relation
• Exercise: Prove it is complete, special sound and SHVZK
𝑧𝑐←Z𝑝𝑎 ,𝑏𝑟←Z𝑝
𝑧=𝑐𝑤+𝑟Accept if
Σ-protocol for arithmetic circuit over
𝑣
𝑤1 𝑤2
𝑤3
Prove hidden values respect the gates
Multiple Σ-protocols can be composed with each other using the same challenge
Non-interactive commitment
• Key generation returns commitment key • Commitment algorithm commits to by picking
randomness and computing • Opening consists of which allows recipient to
check that
𝑚 ,𝑟
𝑐Hiding does not reveal
Binding Sender can only open in one way
Pedersen commitments
• Key generation– Pick a group of prime order with random generators and
. Key .• Commitment
– Given pick and compute
• The opening of the commitment is • Exercise
– Argue it is perfectly hiding– Verify it is homomorphic, i.e.,
ElGamal type commitments
• Key generation– Pick a group of prime order with random generators and
. Key .• Commitment
– Given pick and compute
• The opening of the commitment is • Exercise
– Argue it is perfectly binding– Verify it is homomorphic
Addition gates
• Consider a gate saying • Given commitments
and compute the commitment to as
which by the homomorphic property of the commitment scheme automatically gives a verifiable commitment to
Multiplication gates
• Statement: • Prover’s witness: satisfying
𝑓 , 𝑧1 ,𝑧 2𝑥←Z𝑝𝑎 ,𝑏𝑑 ,𝑠 ,𝑡←Z𝑝
𝑓 =𝑥𝑤1+𝑑Accept if
Σ-protocol for arithmetic circuit
Pedersen commitments• Computational special
soundness• Perfect special honest
verifier zero-knowledge• Communication
– 1 group element per committed value
– 2 group elements and 3 field elements per multiplication gate
– Addition gates for free
ElGamal commitments• Statistical special
soundness• Comp. special honest
verifier zero-knowledge• Communication
– 2 groups elements per committed value
– 4 group elements and 3 field elements per multiplication gate
– Addition gates for free
Σ-protocol for arithmetic circuit over
𝑣
𝑤1 𝑤2
𝑤3
Prove hidden values respect the gates
Communication: O(|C|) commitmentsProver computation: O(|C|) exponentiationsVerifier computation: O(|C|) exponentiations
How efficient can arguments be?
• Zero-knowledge proofs in general have linear or superlinear communication in witness size– Unless SAT-solving has sublinear complexity
• Zero-knowledge arguments can have sublinear communication– Kilian 1992 gave a sublinear zero-knowledge argument
for NP-complete language• Commit to a probabilistically checkable proof using a hash-tree• Verifier makes queries to probabilistically checkable proof• Answer queries from verifier by revealing paths in hash-tree
Knowledge of opening of commitment to 0
• Assume setup with commitment key • Relation • Question
– If it is the Pedersen commitment scheme it is trivial that there exists an opening of , so what is the purpose of the Σ-protocol?
• Answer– To prove knowledge of the opening
Σ-protocol for commitment to 0
• Relation
• Complete: • Special soundness:
and implies so witness
• SHVZK: Given simulate
𝑧𝑥←Z𝑝
𝑐0𝑟0←Z𝑝𝑧=𝑥𝑟+𝑟 0 Accept if
Batch-proof for commitments containing 0
• Assume setup with commitment key
𝑧𝑥←Z𝑝
𝑐0𝑟0←Z𝑝
𝑧=∑𝑖=0
𝑛
𝑥 𝑖𝑟 𝑖 Accept if
Statement:
Communication: O(1) elementsProver: O(n) multiplicationsVerifier: O(n) exponentiations
Generalized Pedersen commitment
• Commitment key: • Commitment: Pick and compute
• Computationally binding– Cannot find for same
• Perfectly hiding– For all we get random group element
Generalized Pedersen commitment
• Commitment: • Length-reducing
– Single group element even for large vectors
• Homomorphic
• Length-reducing + homomorphic– Parallel verifiable computation on hidden data
Cost for N-gate arithmetic circuit
• Standard argument– O(N) elements– O(N) verifier expos– O(N) prover expos– 3 rounds
• Batch argument– O(N) elements– O(N) verifier mults– O(N) prover expos– 7 rounds
𝑣