Efficient Zero-Knowledge Proof Systems

Jens Groth

University College London

• 3-move proof systems

• Complete• Special soundness• Special honest verifier zero-knowledge

𝑧𝑐← {0,1 }𝜆

Σ-protocols

𝑎

Public coin: Random challenge, verifier does not store private information about challenge

Special soundness

• Given two accepting transcripts and for a statement with the same initial message , but two different challenges it is possible to compute witness such that

• Exercise– Argue special soundness implies soundness

Special soundness is a form of proof of knowledge

• Proof of knowledge– Not just that the statement is true, but that the prover

“knows” the witness

• Defined through extraction– The prover “knows” the witness if we can extract the

witness from the prover

• Extraction through rewinding– Consider prover in the state after the initial message

has been sent. Rewind it many times to this state giving it different challenges. Once we have answers to two different challenges, we can extract the witness

Honest verifier zero-knowledge

ZK

HVZK

Special honest verifier zero-knowledge

• There is a simulator that given the statement and the challenge can simulate the initial message and answer such that they look like a real transcript– Typically this is done by first selecting the answer and

then computing the initial message – The simulator’s advantage allowing it to make a

convincing transcript like a real prover even though it does not have the witness is that it can compute the transcript in reverse order

Equivalence of discrete logarithms

• Assume setup describing a group of prime order with generator

• Relation

• Exercise: Prove it is complete, special sound and SHVZK

𝑧𝑐←Z𝑝𝑎 ,𝑏𝑟←Z𝑝

𝑧=𝑐𝑤+𝑟Accept if

Σ-protocol for arithmetic circuit over

𝑣

𝑤1 𝑤2

𝑤3

Prove hidden values respect the gates

Multiple Σ-protocols can be composed with each other using the same challenge

Non-interactive commitment

• Key generation returns commitment key • Commitment algorithm commits to by picking

randomness and computing • Opening consists of which allows recipient to

check that

𝑚 ,𝑟

𝑐Hiding does not reveal

Binding Sender can only open in one way

Pedersen commitments

• Key generation– Pick a group of prime order with random generators and

. Key .• Commitment

– Given pick and compute

• The opening of the commitment is • Exercise

– Argue it is perfectly hiding– Verify it is homomorphic, i.e.,

ElGamal type commitments

• Key generation– Pick a group of prime order with random generators and

. Key .• Commitment

– Given pick and compute

• The opening of the commitment is • Exercise

– Argue it is perfectly binding– Verify it is homomorphic

Addition gates

• Consider a gate saying • Given commitments

and compute the commitment to as

which by the homomorphic property of the commitment scheme automatically gives a verifiable commitment to

Multiplication gates

• Statement: • Prover’s witness: satisfying

𝑓 , 𝑧1 ,𝑧 2𝑥←Z𝑝𝑎 ,𝑏𝑑 ,𝑠 ,𝑡←Z𝑝

𝑓 =𝑥𝑤1+𝑑Accept if

Σ-protocol for arithmetic circuit

Pedersen commitments• Computational special

soundness• Perfect special honest

verifier zero-knowledge• Communication

– 1 group element per committed value

– 2 group elements and 3 field elements per multiplication gate

– Addition gates for free

ElGamal commitments• Statistical special

soundness• Comp. special honest

verifier zero-knowledge• Communication

– 2 groups elements per committed value

– 4 group elements and 3 field elements per multiplication gate

– Addition gates for free

Σ-protocol for arithmetic circuit over

𝑣

𝑤1 𝑤2

𝑤3

Prove hidden values respect the gates

Communication: O(|C|) commitmentsProver computation: O(|C|) exponentiationsVerifier computation: O(|C|) exponentiations

How efficient can arguments be?

• Zero-knowledge proofs in general have linear or superlinear communication in witness size– Unless SAT-solving has sublinear complexity

• Zero-knowledge arguments can have sublinear communication– Kilian 1992 gave a sublinear zero-knowledge argument

for NP-complete language• Commit to a probabilistically checkable proof using a hash-tree• Verifier makes queries to probabilistically checkable proof• Answer queries from verifier by revealing paths in hash-tree

Knowledge of opening of commitment to 0

• Assume setup with commitment key • Relation • Question

– If it is the Pedersen commitment scheme it is trivial that there exists an opening of , so what is the purpose of the Σ-protocol?

• Answer– To prove knowledge of the opening

Σ-protocol for commitment to 0

• Relation

• Complete: • Special soundness:

and implies so witness

• SHVZK: Given simulate

𝑧𝑥←Z𝑝

𝑐0𝑟0←Z𝑝𝑧=𝑥𝑟+𝑟 0 Accept if

Batch-proof for commitments containing 0

• Assume setup with commitment key

𝑧𝑥←Z𝑝

𝑐0𝑟0←Z𝑝

𝑧=∑𝑖=0

𝑛

𝑥 𝑖𝑟 𝑖 Accept if

Statement:

Communication: O(1) elementsProver: O(n) multiplicationsVerifier: O(n) exponentiations

Generalized Pedersen commitment

• Commitment key: • Commitment: Pick and compute

• Computationally binding– Cannot find for same

• Perfectly hiding– For all we get random group element

Generalized Pedersen commitment

• Commitment: • Length-reducing

– Single group element even for large vectors

• Homomorphic

• Length-reducing + homomorphic– Parallel verifiable computation on hidden data

Cost for N-gate arithmetic circuit

• Standard argument– O(N) elements– O(N) verifier expos– O(N) prover expos– 3 rounds

• Batch argument– O(N) elements– O(N) verifier mults– O(N) prover expos– 7 rounds

𝑣