arya nearly linear time zero knowledge proofs for correct
play

Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program - PowerPoint PPT Presentation

Mar 11, 2024 •12 likes •332 views

Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle, Andrea Cerulli, Jens Groth, Sune Jakobsen, Mary Maller Zero-Knowledge Proofs for Statement Correct Program Execution Witness Prover Verifier

  1. Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle, Andrea Cerulli, Jens Groth, Sune Jakobsen, Mary Maller

  2. Zero-Knowledge Proofs for Statement Correct Program Execution Witness Prover Verifier

  3. Zero-Knowledge Proofs for Statement Correct Program Execution Witness Prover Verifier

  4. Zero-Knowledge Proofs for Statement Correct Program Execution Completeness: An honest prover Prover Verifier convinces the verifier.

  5. Zero-Knowledge Proofs for Statement Correct Program Execution Soundness: A dishonest prover never convinces the verifier. Completeness: An honest prover Prover Verifier Computational guarantee convinces the verifier. -> argument

  6. Zero-Knowledge Proofs for Statement Correct Program Execution Witness Soundness: A dishonest prover never convinces the verifier. Completeness: An honest prover Prover Verifier Computational guarantee convinces the verifier. Zero-knowledge: -> argument Nothing but the truth of the statement is revealed.

  7. Zero-Knowledge Proofs for Statement Correct Program Execution Interaction Prover Verifier Communication Computation Computation Prover Verifier Cryptographic Assumption

  8. Zero-Knowledge Proofs for Correct Program Execution Registers Memory pc r1 r2 r3 … … … … … flag Primary Input instruction1 Random instruction2 Input Tapes Access Instruction3 Auxiliary Input … TinyRAM Program … … TinyRAM Instructions include ADD, MULT, XOR, AND,…

  9. Zero-Knowledge Proofs for Correct Program Execution Registers Memory pc r1 r2 r3 … … … … … flag Primary Input instruction1 Random instruction2 Input Tapes Access Instruction3 Auxiliary Input … TinyRAM Program … … TinyRAM Public Values <-> Statement

  10. Zero-Knowledge Proofs for Correct Program Execution Registers Memory pc r1 r2 r3 … … … … … flag Primary Input instruction1 Random instruction2 Input Tapes Access Instruction3 Auxiliary Input … TinyRAM Program … … TinyRAM Private Values <-> Prover’s Witness

  11. Zero-Knowledge Proofs for Correct Program Execution Goal: Why TinyRAM? Zero-knowledge proof for • Closer to real world statements • Compilers from restricted C to correct TinyRAM execution TinyRAM with low prover overhead

  12. List of Memory Execution Trace Memory Changes Extra Time Information 0 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 1 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 2 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 3 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 … … instruction1 instruction2 T pc r1 r2 r3 … … … … … flag pc r1 r2 r3 Instruction3 TinyRAM … Primary Input Program … Input Tapes Auxiliary Input …

  13. List of Memory Checks Memory Changes Extra Time Information 0 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 1 pc r1 r2 r3 … … … … flag pc r1 r2 r3 2 pc r1 r2 r3 … … … … flag pc r1 r2 r3 3 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 … … instruction1 Memory instruction2 T pc r1 r2 r3 … … … … flag pc r1 r2 r3 Instruction3 TinyRAM Consistency … Primary Input Program … Input Tapes Auxiliary Input …

  14. List of Memory Checks Memory Changes Extra Time Information 0 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 Correct 1 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 2 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 Instruction 3 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 Execution … … instruction1 instruction2 T pc r1 r2 r3 … … … … … flag pc r1 r2 r3 Instruction3 TinyRAM … Primary Input Program … Input Tapes Auxiliary Input …

  15. List of Memory Checks Memory Changes Extra Time Information 0 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 1 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 2 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 3 pc r1 r2 r3 … … … … … flag pc r1 r2 r3 … … instruction1 Word instruction2 T pc r1 r2 r3 … … … … … flag pc r1 r2 r3 Instruction3 TinyRAM … Primary Input Program Decompositions … Input Tapes Auxiliary Input …

  16. Proving Correct Program Execution Sources of Overhead Our Solutions • Large fields and large cyclic • Use hash-based proof system groups over any field • Permutation networks for • Alternative approach to checking checking memory permutations • Large circuits for bitwise • Word decomposition technique operations gives constant-size circuits

  17. � � Results Work Prover Verifier Communication Rounds Assumption Complexity Complexity BCTV14 Ω(𝑈 log 𝑈 ' ) 𝜕(𝑀 + 𝑤 ) 𝜕(1) 1 KoE This LT-CRHF 𝑃(𝛽𝑈) 𝑃(log log 𝑈) 𝑞𝑝𝑚𝑧(𝜇) 𝑈 + 𝑀 + 𝑤 𝑞𝑝𝑚𝑧(𝜇) 𝑈 + 𝑀 Work But what is 𝛽 ? Security 2 78 9:; < Program Length 𝑀 Runtime Bound 𝑈 Public Input 𝑊

  18. Arithmetising TinyRAM Overview TinyRAM Execution Trace Algebraic Constraints Main Polynomials Contributions Prior work: Linear-Time Ideal Protocols Zero-Knowledge Look-Up Zero-Knowledge Proofs Arguments and More Standard Protocols 18

  19. Ideal Linear Commitment Protocols Commit to vectors P V 𝑦 ← C Commit to vectors Send random challenges 𝑧 ← C … … Check linear 𝑨 ← C combinations against Compute linear combinations Linear combinations commitments

  20. Ideal Linear Commitment Protocols Commit to execution trace P V 𝑦 ← C Commit to vectors Send random challenges 𝑧 ← C … … Coefficients of linear 𝑨 ← C combinations embed Compute linear combinations Linear combinations useful conditions

  21. Committing Encode 2 6 6 2 0 2 3 7 2 5 7 3 1 7 4 3 7 2 8 4 8 4 5 7 4 6 8 9 3 5 4 2 8 4 6 7 2 3 4 6 2 1 5 6 3 3 7 4 3 9 8 4 7 2 4 5 2 5 3 9 Prover Hash computes linear combination 5 9 3 2 4

  22. Checking Commitments Encode 2 6 6 2 0 2 3 7 2 5 7 3 1 7 4 3 7 2 8 4 8 4 5 7 4 6 8 9 3 5 4 2 8 4 6 7 2 3 4 6 2 1 5 6 3 3 7 4 3 9 8 4 7 2 4 5 2 5 3 9 Prover Hash computes linear combination Encode 5 9 3 2 4 2 3 7 2 5 7 3 1 7 4 Verifier encodes and spot-checks columns High minimum distance catches cheating

  24. Correct Instruction Execution pc r1 r2 r3 pc r1 r2 r3 … … … … … flag Covers all Transition Circuit TinyRAM Check consistency of instructions values across each pc r1 r2 … … … … flag pc r2 r3 time step Transition Circuit Constant size circuit pc r1 r2 r3 … … … … flag pc r1 r2 r3 Give batch argument that each copy of circuit is satisfied

  25. Word Decomposition Avoid binary circuits when checking bitwise operations on non-binary field elements! 𝑏, 𝑐 ∈ 0,1 𝑏 + 𝑐 = 2 𝑏 ∧ 𝑐 + (𝑏 ⊕ 𝑐)

  26. Word Decomposition Register value Binary Decomposition 𝑏 𝒃 𝟏 𝒃 𝟐 𝒃 𝟑 𝒃 𝟒 … … … … 𝒃 𝑿7𝟑 𝒃 𝑿7𝟐 𝑏 P Odd bits 𝒃 𝟐 𝟏 𝒃 𝟒 𝟏 … … … … 𝒃 𝑿7𝟐 𝟏 𝑏 Q Even bits 𝒃 𝟏 𝟏 𝒃 𝟑 𝟏 … … … … 𝒃 𝑿7𝟑 𝟏 𝑏 = 2𝑏 P + 𝑏 Q

  27. Word Decomposition 𝑏 𝑐 𝒃 𝟏 𝒃 𝟐 𝒃 𝟑 𝒃 𝟒 … … … … 𝒃 𝑿7𝟑 𝒃 𝑿7𝟐 𝒃 𝟏 𝒃 𝟐 𝒃 𝟑 𝒃 𝟒 … … … … 𝒃 𝑿7𝟑 𝒃 𝑿7𝟐 𝑏 P 𝑐 P 𝒃 𝟐 𝟏 𝒃 𝟒 𝟏 … … … … 𝒃 𝑿7𝟐 𝟏 𝒃 𝟐 𝟏 𝒃 𝟒 𝟏 … … … … 𝒃 𝑿7𝟐 𝟏 𝑏 Q 𝑐 Q 𝒃 𝟏 𝟏 𝒃 𝟑 𝟏 … … … … 𝒃 𝑿7𝟑 𝟏 𝒃 𝟏 𝟏 𝒃 𝟑 𝟏 … … … … 𝒃 𝑿7𝟑 𝟏 𝑏 = 2𝑏 P + 𝑏 Q 𝑐 = 2𝑐 P + 𝑐 Q XORs in even bits ANDs in odd bits 𝒃 𝟏 ⊕ 𝒄 𝟏 𝒃 𝟏 ∧ 𝒄 𝟏 𝒃 𝟑 ⊕ 𝒄 𝟑 𝒃 𝟑 ∧ 𝒄 𝟑 … … … … 𝒃 𝑿7𝟑 ⊕ 𝒄 𝑿7𝟑 𝒃 𝑿7𝟑 ∧ 𝒄 𝑿7𝟑 𝑏 Q + 𝑐 Q

  28. Look-up Argument Register Even Odd Decomposition Look-Up Table Value Bits Bits Register Values Even Bits Odd Bits All possible register Use zero-knowledge look-up values argument to show all decompositions correct

  29. Look-up Argument Approach: Values 𝑏 T , 𝑏 ' , … , 𝑏 V lie in table Look-Up Table 𝒄 𝟐 𝑐 T , 𝑐 ' , … , 𝑐 Y already public ó 𝒄 𝟑 1. Commit to 𝑏 T , 𝑏 ' , … , 𝑏 V , 𝑓 T , 𝑓 ' , … , 𝑓 Y 𝒄 𝟒 𝑏 T , 𝑏 ' , … , 𝑏 V ⊂ {𝑐 T , 𝑐 ' , … , 𝑐 Y } … … … 2. Prove in zero-knowledge that ó Verify a ‘square and multiply’ … algorithm in zero-knowledge a b 𝒄 𝒐 V Y a b ∏ = ∏ (𝑦 − 𝑏 ^ ) 𝑦 − 𝑐 for random 𝑦 V Y ∏ = ∏ (𝑌 − 𝑏 ^ ) 𝑌 − 𝑐 ` ` ^_T `_T ^_T `_T for some 𝑓 ` ≥ 0 Think of 𝑛 ≫ 𝑜

Recommend

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack Ronald Cramer (CWI) Ivan Damgrd (AU) Chaoping Xing (NTU) ChenYuan (NTU) Eprint 2016/681 Integer One-Way Function (iOWF) maps integers to finite

582 views • 32 slides
References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge https://en.wikipedia.org/wiki/Zero-knowledge_proof Protocols Zero Knowledge Proofs: An Illustrated Primer by M. Green. Part I: https://blog.cryptographyengineering.com/2014/11/27/ Jim

389 views • 18 slides
Reminders Homework #3 is out Should cover proofs (including some from today) Due next

Reminders Homework #3 is out Should cover proofs (including some from today) Due next

Reminders Homework #3 is out Should cover proofs (including some from today) Due next Tuesday (September 24) Office hours Wednesday and Thursday Is this Proof Correct? Is this Proof Correct? Is this Proof Correct? CMSC 203:

792 views • 12 slides
Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner TA: Malvin Gattinger October 22, 2014 1 / 27 Introduction Zero-knowledge proofs are proofs that yield nothing beyond the validity of the

415 views • 27 slides
Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive Proofs 2 Interactive Proofs Prover wants to convince verifier that x has some property 2 Interactive Proofs Prover wants to convince verifier

1.9k views • 174 slides
Lab 2 discussion Last Time Debugging Its a science use experiments to refine

Lab 2 discussion Last Time Debugging Its a science use experiments to refine

size= 64 correct= 0 size= 73 correct= 0 Shuying Liang size= 107 correct= 1 size= 107 correct= 0 size= 108 correct= 0 size= 108 correct= 1 Please do not handin a .doc file, a .zip file, a .tar file, size= 111 correct= 1 size=

430 views • 7 slides
Recovery of sparse signals from a mixture of linear samples Arya Mazumdar Soumyabrata Pal

Recovery of sparse signals from a mixture of linear samples Arya Mazumdar Soumyabrata Pal

Recovery of sparse signals from a mixture of linear samples Arya Mazumdar Soumyabrata Pal University of Massachusetts Amherst June 15, 2020 ICML 2020 A relationship between features and labels x : feature and y : label . Consider the tuple (

322 views • 21 slides
Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a property about an element without revealing Lelantus ZCoins Zero-Knowledge protocol Prove that transactions are valid, without revealing

1.37k views • 72 slides
Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien Canard (1) , David Pointcheval (2) and Olivier Sanders (1 , 2) S (1) Orange Labs, Caen, France (2) Ecole Normale Sup erieure, Paris,

556 views • 31 slides
Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge Iftach Haitner, Tel Aviv University December 4, 2011 IP for GNI Part I Interactive Proofs IP for GNI Interactive Vs. Interactive Proofs Definition 1 (

1.51k views • 110 slides
Arya Samaj Principle: 9 th Principle By: Vipashchit Nanda The Ten Principles Formulated by

Arya Samaj Principle: 9 th Principle By: Vipashchit Nanda The Ten Principles Formulated by

Arya Samaj Principle: 9 th Principle By: Vipashchit Nanda The Ten Principles Formulated by Swami Dayanand Saraswati, sets the basic rules and ideas of Arya Samaj. They are equally applicable to all lands, all time and peoples of all

444 views • 10 slides
Micropipetting Doing it the correct way Practice, practice, practice! Why Take the Time to

Micropipetting Doing it the correct way Practice, practice, practice! Why Take the Time to

Micropipetting Doing it the correct way Practice, practice, practice! Why Take the Time to Practice? Micropipetting is the foundation to many future experiments Correct pipetting insures correct volumes which creates a greater chance

544 views • 19 slides
Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos, Geoffroy Couteau 1 /11 Zero-Knowledge Proof prover verifier Complete: if P knows a solution, V accepts Sound: if there is no solution, P

1.25k views • 27 slides
can be done in linear time? Yuri Gurevich Tallinn, April 29, 2014 Agenda 1. What linear time?

can be done in linear time? Yuri Gurevich Tallinn, April 29, 2014 Agenda 1. What linear time?

What, if anything, can be done in linear time? Yuri Gurevich Tallinn, April 29, 2014 Agenda 1. What linear time? Why linear time? 2. Propositional primal infon logic 3. A linear time decision algorithm 4. Extensions with 1. Disjunction 2.

632 views • 48 slides
CORRECT? Introduction Working hypothesis Observations: Hypothesis: Human intelligence

CORRECT? Introduction Working hypothesis Observations: Hypothesis: Human intelligence

The Knowledge Representation Hypothesis (Brian Smith, 1982): IT3706 Knowledge Representation An intelligent systems competence is Rodney Brooks: determined by its knowledge. Knowledge without The knowledge is contained within

405 views • 5 slides
Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs Prover wants to convince verifier that x has some property Interactive Proofs Prover wants to convince verifier that x has some property i.e. x is in

3.29k views • 145 slides
Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019 Overview Recap Lelantus One e ffi cient

Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019 Overview Recap Lelantus One e ffi cient

Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019 Overview Recap Lelantus One e ffi cient way to do 1-in-N proofs zk-SNARKs A general way to prove anything in Zero-Knowledge (if you dont know how to do it any other way, use

3.26k views • 68 slides
Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne Broadbent (U. of Ottawa) arxiv:1911.07782 Quantum found. QZK Crypto TCS 2 / 19 Interactive proofs 3 / 19 Interactive proofs L NP P V 0

1.06k views • 89 slides
One-Shot Verifiable Encryption from Lattices Vadim Lyubashevsky and Gregory Neven IBM Research

One-Shot Verifiable Encryption from Lattices Vadim Lyubashevsky and Gregory Neven IBM Research

One-Shot Verifiable Encryption from Lattices Vadim Lyubashevsky and Gregory Neven IBM Research -- Zurich Zero-Knowledge Proofs Zero-Knowledge Proofs Relation f(s)=t, and want to prove knowledge of s Zero-Knowledge Proofs Relation f(s)=t, and

1.04k views • 72 slides
On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek

On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek

On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018 Round-Complexity of ZK-Proofs for NP 2 Round-Complexity of ZK-Proofs for NP 2 Round-Complexity of ZK-Proofs for NP

835 views • 56 slides
Multi-Linear Strategy Extraction for QBF Expansion Proofs via Local Soundness Matthias Schlaipfer

Multi-Linear Strategy Extraction for QBF Expansion Proofs via Local Soundness Matthias Schlaipfer

Multi-Linear Strategy Extraction for QBF Expansion Proofs via Local Soundness Matthias Schlaipfer Friedrich Slivovsky Georg Weissenbacher Florian Zuleger July 6, 2020 Outline 1. Motivation 2. QBF: Semantics and expansion proofs 3. Local

582 views • 41 slides
Zero Knowledge Proofs Muthuramakrishnan Venkitasubramaniam An example An example I (re)solved

Zero Knowledge Proofs Muthuramakrishnan Venkitasubramaniam An example An example I (re)solved

Zero Knowledge Proofs Muthuramakrishnan Venkitasubramaniam An example An example I (re)solved P vs NP? S I How? Here is the proof Can I convince someone the validity of something Clay without revealing the proof? Institute

619 views • 46 slides
Zero-Knowledge Proofs III Beyond zk-SNARKs &amp; Accumulators Oct. 23, 2019 Recap zk-SNARKs

Zero-Knowledge Proofs III Beyond zk-SNARKs &amp; Accumulators Oct. 23, 2019 Recap zk-SNARKs

Zero-Knowledge Proofs III Beyond zk-SNARKs &amp; Accumulators Oct. 23, 2019 Recap zk-SNARKs Flattening the computation x 4 + x + 2 = 86 Proof: We know so that (hint ) x x = 3 We can verify all basic operations (+,-,*,assignment) We

1.28k views • 62 slides
Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang

Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang

Indistinguishable Proofs of Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang ASIACRYPT 2016 8th December, Hanoi, Vietnam Motivation (ZK) Proofs of Knowledge - PoK Statement: Prover

984 views • 79 slides

More recommend