a survey on snarks
play

A survey on SNARKs Carla R` afols Elliptic Curve Cryptography, - PowerPoint PPT Presentation

A survey on SNARKs Carla R` afols Elliptic Curve Cryptography, Bochum, December 3rd Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd What are ZK Proofs? 2 5 1 9 4 2 6 5 7 1 3 9 8 8 2 3 6 8 5 7 2


  1. A survey on SNARKs Carla R` afols Elliptic Curve Cryptography, Bochum, December 3rd Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

  2. What are ZK Proofs? 2 5 1 9 4 2 6 5 7 1 3 9 8 8 2 3 6 8 5 7 2 9 3 1 4 6 3 6 7 1 3 9 4 6 8 2 7 5 1 6 9 7 1 3 8 5 6 2 4 5 4 1 9 5 4 3 7 2 6 8 1 9 2 7 6 8 2 1 4 9 7 5 3 9 3 8 7 9 4 6 3 2 5 8 1 2 8 4 7 2 6 5 8 1 4 9 3 7 1 9 7 6 3 1 8 9 5 7 4 6 2 x=“Unsolved Sudoku” w=“Solved Sudoku” Proof Accept or Reject Peggy: ( x , w ) Victor: x A process in which a prover probabilistically convinces a verifier of the correctness of a mathematical proposition, and the verifier learns nothing else. Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

  3. What are ZK Proofs? x = CircuitSat = ( There exists w s.t. C ( w ) = 1 ) w x = ( There exist ( p , q ) s.t. N = pq ) w = ( p , q ) x= (I know sk) sk x is true ( x ∈ L ) Accept or Reject Victor: x Peggy: ( x , w ) A process in which a prover probabilistically convinces a verifier of the correctness of a mathematical proposition, and the verifier learns nothing else. Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

  4. Applications Proof that > 18 Movie DB Movie Mixing Anonymous Anonymous in E-voting Credentials Financial Transactions In a dream world zero-knowledge solves all your privacy concerns: keep your data and prove you have played by the rules. Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

  5. Applications: Verifiable Computation � F ( data ) = ?? � y = F ( data ) + proof Check correctness of computation without downloading data. In some applications “Proof”(not Zero-Knowledge) sufficient (the case when sk Peggy = ∅ . ) Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

  6. What is a “good” ZK Proof Performance measured in different parameters. π b ∈ { 0, 1 } Peggy: ( x , w ) Victor: x Expressivity. Prover complexity/ Verifier complexity. Proof size. Weaker/ Stronger Computational assumptions. Need for a trusted Setup. Amount of interaction. Of Knowledge. Private vs Public Verification... Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

  7. What is a “good” ZK Proof Performance measured in different parameters. π b ∈ { 0, 1 } Peggy: ( x , w ) Victor: x Expressivity. Prover complexity/ Verifier complexity. Proof size. Weaker/ Stronger Computational assumptions. With/without Common Reference String. Amount of interaction. Non-interactive. Of Knowledge. Private vs Public Verification... Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

  8. Properties of ZKProofs π b ∈ { 0, 1 } Peggy: ( x , w ) Victor: x Completeness. If Peggy and Victor behave honestly, the proof will be accepted. Soundness. Peggy cannot prove false statements. Zero-Knowledge. Victor learns nothing beyond the truth of the statement. Of Knowledge. Victor is conviced that the prover knows a witness for the statement being true. Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

  9. Formalizing Zero-Knowledge in the CRS model π π b ∈ { 0, 1 } b ∈ { 0, 1 } Peggy: ( CRS , x , w ) Victor: ( CRS , x ) Simulator: ( CRS , x , τ ) Victor: ( CRS , x ) Setting: Common Reference String setting, Non-Interactive. In the (trusted) Setup phase, the common reference string CRS is generated with a trapdoor τ . Real and simulated setting indistinguishable. Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

  10. Expressivity: Specific Statements Until recently “practical ZK”was limited to non NP complete languages. P o s t t a s l Mixing Encryption Digital in E-voting Signatures x = (( g , g a , g b , g c ) is a DH tuple ) w = ( a , b ) x = ( C 1 and C 2 have same plaintext ) w = ( r 1 , r 2 ) Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

  11. Expressivity: General Languages until 2009 CircuitSat naturally encodes computation. It is also the “standard”NP complete problem for ZKProofs. Proof size is always (at least) linear in the witness size. except proofs that use PCP Theorem, non-interactive in the RO ([Kilian92],[Micali00]..) Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

  12. PCP-based proofs: General Proof Strategy (very simplified) Theorem (PCP Theorem) NP = PCP ( O ( 1 ) , O ( log n )) (probabilistically checkable proofs with O ( 1 ) queries and log n randomness). Commit to Π i 1 , . . . , i k π i 1 , . . . , π i k Accept or Reject Victor: x Peggy: ( x , w ) It was not a practical approach, but proofs were succinct . Non-interactive in RO [Micali00]. Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

  13. The Hunting of the (practical) SNARK S uccint N on-Interactive A rguments of K nowledge We have sailed many weeks, we have sailed many days, (Seven days to the week I allow), But a Snark, on the which we might lovingly gaze, We have never beheld till now! L. Carroll Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

  14. ZK Proofs History: The Hunting of the SNARK 1989 – Interactive Proof-Systems [GMR89] (...) – 2010 – Groth. Succinct argument without PCPs ( 42 bilinear group elements) QAPs: ZK friendly characterization of NP, linear CRS [GGPR13] 2013 – Implementation: Pinocchio: Nearly Practical Verifiable Computation” [PGHR13] 2014 – ZeroCash 2016 – Groth. Most efficient zk-SNARK ( 3 bilinear group elements) .... – and so much more... Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

  15. SNARKs: Technical core Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

  16. Overview (not so far from PCPs, after all) Information Theoretic Step. Circuit , � a Rank 1 Constraint Quadratic Arithmetic System Program t ( x ) , { v i ( x ) , w i ( x ) , y i ( x ) } i s.t. L , R , O s.t. � a satisfies circuit ⇔ t ( x ) divides � a satisfies circuit → → ( ∑ i a i v i ( x )) ( ∑ i a i w i ( x )) a ⊤ L ◦ � a ⊤ R = � a ⊤ O � − ∑ i a i y i ( x ) Computational Step. Quadratic Arithmetic Program SNARK t ( x ) , { v i ( x ) , w i ( x ) , y i ( x ) } i Compiler − − − − − − → CRS, π Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

  17. Example a 6 × a 5 a 5 = ( 2 a 2 )( a 3 + a 4 ) × a 6 = ( a 1 + a 2 ) a 5 + × 2 + a 1 a 2 a 3 a 4 Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

  18. Example a 6 × a 5 a 5 = ( 2 a 2 )( a 3 + a 4 ) × a 6 = ( a 1 + a 2 ) a 5 + × 2 + a 1 a 2 a 3 a 4 a 5 a 6 a 5 a 6 a 5 a 6   a 1       0 1 0 0 0 0 a 2   2 1 0 0 0 0         a 3         a = , L = , R = O = � 0 0 1 0 0 0         a 4         0 0 1 0 0 0         a 5         0 0 0 1 1 0       a 6 0 0 0 0 0 1 a ⊤ L ◦ � a ⊤ R = � a ⊤ O ⇐ ⇒ ( 2 a 2 , a 1 + a 2 ) ◦ ( a 3 + a 4 , a 5 ) = ( a 5 , a 6 ) � Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

  19. Example a ⊤ L ◦ � a ⊤ R = � a ⊤ O ⇐ ⇒ ( 2 a 2 , a 1 + a 2 ) ◦ ( a 3 + a 4 , a 5 ) = ( a 5 , a 6 ) �     v 1 ( r 1 ) v 1 ( r 2 ) w 1 ( r 1 ) w 1 ( r 2 ) . . . . . . . . L =  , R =     . . . .    v 6 ( r 1 ) v 6 ( r 2 ) w 6 ( r 1 ) w 6 ( r 2 )   y 1 ( r 1 ) y 1 ( r 2 ) . . O = . .   . .   y 6 ( r 1 ) y 6 ( r 2 ) a ⊤ L ◦ � a ⊤ R = � a ⊤ O ⇐ ⇒ � ( ∑ a i v i ( r 1 ) , ∑ a i v i ( r 2 )) ◦ ( ∑ a i w i ( r 1 ) , ∑ a i w i ( r 2 )) = ( ∑ a i y i ( r 1 ) , ∑ a i y i ( r 2 )) ⇒ ( ∑ a i v i ( X ))( ∑ a i w i ( X )) − ( ∑ a i y i ( X )) is divisible by ( x − r 1 )( x − r 2 ) ⇐ Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

  20. QAP Definition A quadratic arithmetic program consists of some polynomials { v i ( x ) } n i = 0 , { w i ( x ) } n i = 0 , { y i ( x ) } n i = 0 and t ( x ) . A vector � a is accepted by the QAP iff � �� � � � v 0 ( x ) + ∑ a i v i ( X ) w 0 ( x ) + ∑ a i w i ( X ) y 0 ( x ) + ∑ a i y i ( X ) t ( x ) divides − . We have seen how to construct a QAP such that � a is accepted if and only if it satisfies the circuit. Polynomials can be computed from circuit description. Degree of the polynomial: number of gates, number of polynomials: input + gates. Idea for succinctness: check equality at a single evaluation point!! Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

  21. Bilinear map or Pairing Implicit notation: [ a ] i = a P i . Definition G 1 , G 2 , G T cyclic groups of order p where DLOG is hard, P 1 , P 2 generators of G 1 , G 2 respectively, e : G 1 × G 2 → G T is a non-degenerate bilinear map (or pairing) if for all ([ α ] 1 , [ β ] 2 ) ∈ G 1 × G 2 , e ([ α ] 1 , [ β ] 2 ) = e ( P 1 , P 2 ) αβ (Bilinearity) , e ([ α ] 1 , [ β ] 2 ) � = 1 G T (Non-degeneracy) Carla R` afols ZKProofs Elliptic Curve Cryptography, Bochum, December 3rd

Recommend


More recommend