lattice based zero knowledge snargs for arithmetic
play

Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca - PowerPoint PPT Presentation

Sep 06, 2023 •356 likes •1.03k views

Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu Outline C The SNARG Definitions Construction END Background Option for SNARGs Security s Proof Systems Roadmap and Tools Framework Conclusions Motivation

  1. Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu

  2. Outline C The SNARG Definitions Construction END Background Option for SNARGs Security s Proof Systems Roadmap and Tools Framework Conclusions Motivation Definitions Building Blocks Open New Scheme History Properties Questions State-of-the-art Methodology 2

  3. SNARK C The SNARG Definitions Construction END Background Option Option for SNARGs Security Tale 2 s s Prover Verifier 3

  4. Delegated Computation Task computes f(x)= y Prover Verifier 4

  5. Prover claims a statement Claim y =f(x) Prover Verifier 5

  6. Verifier does not trust ? ? ? y ≠ f(x) f(x)= y Corrupted Verifier Prover 6

  7. Proof Systems: Non-Interactive Arguments [Mic00] Computationally sound proofs Joe Kilian Silvio Micali [Kil92] A note on effj ffjcient zk-proofs and arguments 7

  8. Non-Interactive Proof Protocol [Mic00] π Claim y =f(x) ROM Proof π π Prover Verifier 8

  9. Pre-Processing for Efficient Arguments crs [Mic00] Computationally sound proofs G. Di Crescenzo J. Groth Joe Kilian Helger Lipmaa Silvio Micali [Kil92] [DCL08] A note on effj ffjcient Succinct NP proofs from an zk-proofs and extractability assumption arguments [Gro10] Short Pairing-based Non-interactive Zero-Knowledge Arguments 9

  10. One round Interaction crs crs Prover π Verifier 10

  11. Strong Assumptions [GW11] Separating succinct [Mic00] non-interactive Computationally arguments from all sound proofs falsifi fiable assumptions G. Di Crescenzo J. Groth Joe Kilian Helger Lipmaa Silvio Micali Craig Gentry Daniel Wichs [Kil92] [DCL08] A note on effj ffjcient Succinct NP proofs from an zk-proofs and extractability assumption arguments [Gro10] Short Pairing-based Non-interactive Zero-Knowledge Arguments 11

  12. S uccinct N on-interactive ARG ument ! ! G G R R A A N N S S 12

  13. Properties of a SNARG Computational Succinct Efficient Soundness Proof Verification 13

  14. SNARG: Methodology Model crs SNARG Computational Model Target Statement under (Representation) R(y,w)=1 Non-Falsifiable Assumptions Computation y=F(x) PCP: Probabilistically Checkable Proofs ECRH: Extractable Collision-Resistant Hash QSP / SSP: Boolean Circuit SAT PKE: Power Knowledge of Exponent Quadratic / Square Span Programs QAP / SAP: Arithmetic Circuit SAT PKE: Power Knowledge of Exponent Q / S Arithmetic Programs 14

  15. State-of-the-art ECRH PKE [BCI+13] SNARGs via linear interactive proofs B. Parno, R. Gennaro, J.Howell, C. Gentry, C. Gentry, B. Parno, M. M. Raykova Raykova N.Bitansky, A. Chiesa, Y. Ishai, R. Ostrovsky, O Paneth [GGPR13] QSP and succinct NIZKs without PCPs [PHGR13] Pinocchio: Nearly practical verifi fiable computation 15

  16. Post-Quantum Succinct Arguments [GMNO18] [BCI+13] Lattice-based SNARGs via linear zk-SNARKs from SSP interactive proofs B. Parno, D. Boneh, Y. Ishai, J.Howell, C. Gentry, A. Sahai, D.J. Wu M. Raykova N.Bitansky, R. Gennaro, A. Chiesa, Y. Ishai, R. M. Minelli, Ostrovsky, O Paneth Anca Nitulescu, M. Orrù [BISW17] [PHGR13] Lattice-based SNARGs and their Pinocchio: Nearly practical verifi fiable application to more effj ffjcient computation obfuscation 16

  17. Post-Quantum SNARGs SSP SNARG Computational Model Target Statement under (Representation) R(y,w)=1 Post-Quantum Assumptions [BISW17] PCP: Probabilistically Checkable Proofs (Strong) Vector Linear-Only Encryption [GMNO18] QSP / SSP: PKE on Lattice Encodings Quadratic / Square Span Programs Boolean Circuit SAT ? QAP / SAP: Arithmetic Circuit SAT Q / Square Arithmetic Programs 17

  18. Post-Quantum Succinct Arguments [this work] Lattice-based [GMNO18] [BCI+13] zk-SNARGs Lattice-based SNARGs via linear from SAP zk-SNARKs from SSP interactive proofs B. Parno, D. Boneh, Y. Ishai, J.Howell, C. Gentry, A. Sahai, D.J. Wu M. Raykova N.Bitansky, Anca Nitulescu R. Gennaro, A. Chiesa, Y. Ishai, R. M. Minelli, Ostrovsky, O Paneth Anca Nitulescu, M. Orrù [BISW17] [PHGR13] Lattice-based SNARGs and their Pinocchio: Nearly practical verifi fiable application to more effj ffjcient computation obfuscation 18

  19. Defining SNARGs C The SNARK Definitions Construction END Background Option Option Option for SNARGs Security Tale 1 Tale 1 Tale 2 s s s 19

  20. SNARG with Preprocessing Algorithms 20

  21. Correctness and Soundness y ≠ f(x) y = f(x) Verify π π Corrupted Verifier Prover 21

  22. SNARG : S uccinct N on-Interactive AR Gument Succinctness proof size independent of NP witness size Non-Interactivity SNARG no exchange between prover and verifier ARGument soundness holds only against computationally bounded provers 22

  23. Zero-Knowledge SNARG Succinctness proof size independent of NP witness size Non-Interactivity zk-SNARG no exchange between prover and verifier Zero-Knowledge does not leak anything about the witness Argument soundness holds only against computationally bounded provers 23

  24. Zero-Knowledge Prover Simulator ≃ 24

  25. SNARK : S uccinct N on-Interactive AR gument of K nowledge Succinctness Knowledge Soundness proof size independent a witness can be efficiently of NP witness size extracted from the prover Non-Interactivity zk-SNARK no exchange between prover and verifier Zero-Knowledge does not leak anything about the witness Argument soundness holds only against computationally bounded provers 25

  26. SNARG BISW17 GM N O18 This work comparison Lattice-based Lattice-Based Lattice-Based SNARG zk-SNARK zk-SNARG from PCP from SSP from SAP computational model PCP SSP SAP assumption strong vector linear-only lattice PKE linear-only 1 vector of ciphertexts 5 ciphertexts 2 ciphertexts proof size zero-knowledge knowledge soundness arithmetic circuit quantum resilient

  27. Framework intuition C The SNARG Framework Construction END Background Option Option Option for SNARGs Security Tale 1 Tale 1 Tale 2 s s s s r c SAP SNARG π / 27

  28. Computation: Circuit SAT x y NP statement f(x)= y 0/1 Claim f(x)= y Prover Verifier 28

  29. NP witness: Too long! x y NP statement f(x)= y 1 Witness for Circuit SAT Long Prover Verifier 29

  30. Solve equivalent problem instead x y Polynomial problem Given v(x), t(x) . Circuit SAT Find P(x) such that solution P(x) t(x) = v(x) 0/1 Prover Verifier 30

  31. Solve equivalent problem instead Polynomial problem Given v(x), t(x) . Find P(x) such that P(x) = Σ p i x i P(x) t(x) = v(x) Coefficients of solution P(x) p 0 , p 1 , p 2 , … p d Prover Verifier 31

  32. Solution as big as witness for Circuit SAT Not Succinct P(x) = Σ p i x i Witness for Circuit SAT Coefficients of solution P(x) p 0 , p 1 , p 2 , … p d Prover Verifier 32

  33. Evaluate polynomial in one point s s P(x) = Σ p i x i Coefficients of solution P(x) p 0 , p 1 , p 2 , … p d Prover Verifier 33

  34. Evaluate polynomial in one point s Polynomial problem s P( s ) = Σ p i s i P(x) t(x) = v(x) P(s) t(s) = v(s) P(x) P(s) Prover Verifier 34

  35. The evaluation point should be hidden s P’ ≠ P(x) P’ P(x) Prover Verifier 35

  36. The evaluation point should be hidden s P’ t(s) = t(s) v(s) s Enc( s ) P’ P(x) P’ Prover Verifier 36

  37. Encoding of evaluation point s Enc( s ) P(s) = ? P(x) Prover Verifier 37

  38. Encoding Properties Enc( P (s)) Enc(s 2 ) Enc(s d ) Enc(s) Enc(s i ) = Σ p i Encoding: ● linearly homomorphic Prover Verifier 38

  39. Succinct Proof Enc( P (s)) Enc(s 2 ) Enc(s d ) Enc(s) Proof π = e z i s t n a t s n o f o C o r P Prover Verifier 39

  40. Verification Polynomial problem Given v(x), t(x) . Find P(x) such that P(x) t(x) = v(x) P π = v(s) P t (s) Encoding: ● linearly homomorphic ● quadratic root detection Prover Verifier ● image verification 40

  41. Security 41

  42. Non-falsifiable Assumption: Linear-Only Enc(m 1 ) Enc(m 2 ) Enc(m n ) L-O Enc( M ) a 1 a 2 a d M = m 1 + m 2 + + m d 42

  43. Our SNARG C The SNARG Definitions Construction END Background Option Option Option for SNARGs Security Tale 1 Tale 1 Tale 2 s s s 43

  44. Polynomial problem Square Arithmetic Programs Computational Model For Arithmetic Circuits 44

  45. Arithmetic Circuit Satisfiability Problem a 1 a 2 a 3 a 4 + + + a 5 + + , a 3 )= a 6 f(a 1 statement: a 1 , a 3 , a 6 a 6 witness: a 2 , a 4 , a 5 45

  46. NEW Representation: Square Arithmetic Program SAP a 1 a 2 a 3 a 4 + + Square Arithmetic Program a 5 SAP + a 6 46

  47. Polynomial problem Encodings Lattice-Based Assumptions 47

  48. Encodings Instantiations: Discrete Log DLog Group Linearly homomorphic: Quadratic root detection ( public ) ? s 2 s d g s g g ? 48

  49. Post-Quantum: Encryption Scheme Encryption scheme Quadratic root detection needs sk Linearly homomorphic: ? E pk (s) E pk (s 2 ) E pk (s d ) E (h(s)) E (p(s)) 49

  50. SNARK from SAP p(s), h(s) Proof: Circuit Evaluate for f( ⋅ ) in a point ? t (s)h(s)=p(s) p(s)= V(s) 2 -1 Find h(x) Verify Verify t(x)h(x)=p(x) h(s) the proof SAP p(s) 50

  51. Proof: Evaluate solution in s a 1 a 2 a 3 a 4 α s α s 2 α s d + + + a 5 + + a 6 A π = E ( α V (s)) 51

Recommend

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai,

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai,

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation ( ) has emerged as a central hub

648 views • 36 slides
Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli,

Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli,

Sub-Linear Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli, Rafael del Pino, Jens Groth and Vadim Lyubashevsky Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits 2

712 views • 33 slides
RNS Arithmetic Approach in Lattice-based Cryptography Accelerating the Rounding-off Core

RNS Arithmetic Approach in Lattice-based Cryptography Accelerating the Rounding-off Core

22nd IEEE Symposium on Computer Arithmetic RNS Arithmetic Approach in Lattice-based Cryptography Accelerating the Rounding-off Core Procedure Jean-Claude Bajard , Julien Eynard Nabil Merkiche , Thomas Plantard Sorbonne

383 views • 25 slides
Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2

Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2

Lattice-Based Zero-Knowledge Arguments for Integer Relations t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 CNRS and ENS Lyon, France 2 Nanyang Technological University, Singapore CRYPTO 2018, 20 August 2018 Zero-Knowledge

422 views • 30 slides
Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 Ecole Normale Sup erieure de Lyon (France) 2

681 views • 33 slides
Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert 1 San Ling 2 Fabrice Mouhartem 1 Beno Khoa Nguyen 2 Huaxiong Wang 2 1 Ecole Normale Sup erieure de Lyon (France) 2 Nanyang Technological

618 views • 46 slides
Short, Invertible Elements in Partially Splitting Cyclotomic Rings and Applications to

Short, Invertible Elements in Partially Splitting Cyclotomic Rings and Applications to

Short, Invertible Elements in Partially Splitting Cyclotomic Rings and Applications to Lattice-Based Zero-Knowledge Proofs Vadim Lyubashevsky Gregor Seiler IBM Research Zurich April 30, 2018 Motivation: Lattice-Based Zero-Knowledge Proofs

790 views • 42 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

849 views • 47 slides
Accelerating lattice reduction algorithms with floating-point arithmetic Damien Stehl e

Accelerating lattice reduction algorithms with floating-point arithmetic Damien Stehl e

Background on Euclidean lattices Hybrid algorithms for LLL-reduction The fplll library Conclusion Accelerating lattice reduction algorithms with floating-point arithmetic Damien Stehl e http://perso.ens-lyon.fr/damien.stehle/ LIP

766 views • 74 slides
Knowledge-Based Agents knowledge knowledge representation, knowledge base, types of knowledge

Knowledge-Based Agents knowledge knowledge representation, knowledge base, types of knowledge

CPE/CSC 580-S06 Artificial Intelligence Intelligent Agents Knowledge-Based Agents knowledge knowledge representation, knowledge base, types of knowledge wumpus world example of knowledge-based agents knowledge representation language

325 views • 31 slides
Distribution of dense lattice orbits on homogeneous spaces June 6, 2013 Ergodic Theory with

Distribution of dense lattice orbits on homogeneous spaces June 6, 2013 Ergodic Theory with

Distribution of dense lattice orbits on homogeneous spaces June 6, 2013 Ergodic Theory with connections to arithmetic University of Crete, Iraklion Amos Nevo, Technion based on joint work with Alex Gorodnik Wrawick, ETDS 30 Plan Classical

826 views • 81 slides
2 1 Joppe W. Bos and Simon Friedberger Why these strange primes? 2 Quantum

2 1 Joppe W. Bos and Simon Friedberger Why these strange primes? 2 Quantum

Fast Arithmetic Modulo 2 1 Joppe W. Bos and Simon Friedberger Why these strange primes? 2 Quantum computers NIST call for PQC standards [1] [2] Post-Quantum Cryptography 3 Lattice-based Code-based MQ-based

524 views • 25 slides
SNARGs for P, and more, from poly-secure PIR Justin Holmgren Joint work with Zvika Brakerski and

SNARGs for P, and more, from poly-secure PIR Justin Holmgren Joint work with Zvika Brakerski and

1 SNARGs for P, and more, from poly-secure PIR Justin Holmgren Joint work with Zvika Brakerski and Yael Kalai 1 With RAM efficiency for the prover Verifiable Computation: What we want Common Reference String Hey! f(x) = y. Heres a

312 views • 14 slides
Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based Cryptography Why Lattice-based Crypto? o Exponentially Hard (so far) o Quantum-Resistant (so far) o Worst-case hardness (unique feature of

699 views • 38 slides
Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink July 1st, 2019 July 1st, 2019 1 / 27 Lattice-based cryptography II In this talk: Introduction to (ring-)LWE Lattice-based key-exchange and

1.44k views • 80 slides
Knowledge-based Agents Can represent knowledge And reason with this knowledge CS 331:

Knowledge-based Agents Can represent knowledge And reason with this knowledge CS 331:

Knowledge-based Agents Can represent knowledge And reason with this knowledge CS 331: Artificial Intelligence How is this different from the knowledge Propositional Logic I used by problem-specific agents? More general More

221 views • 9 slides
Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts ttts PQCrypto Summer School 2017 (June 20, 2017) Part 1: Lattices, cryptography, and lattice basis

872 views • 53 slides
Plan for today Knowledge-based systems 1 Explicit knowledge Knowledge Representation Inferred

Plan for today Knowledge-based systems 1 Explicit knowledge Knowledge Representation Inferred

Knowledge Representation Knowledge Representation Plan for today Knowledge-based systems 1 Explicit knowledge Knowledge Representation Inferred knowledge Domain-specific stuff A very brief intro Changing premises Uncertainty Jacek Malec

179 views • 13 slides
Plan for today Knowledge-based systems 1 Tacit knowledge Knowledge Representation Inferred

Plan for today Knowledge-based systems 1 Tacit knowledge Knowledge Representation Inferred

Knowledge Representation Knowledge Representation Plan for today Knowledge-based systems 1 Tacit knowledge Knowledge Representation Inferred knowledge Domain-specific stuff A very brief intro Changing premises Uncertainty Jacek Malec

265 views • 13 slides
Knowledge-Based Agents (Logical Agents) A knowledge-based agent needs (at least): A

Knowledge-Based Agents (Logical Agents) A knowledge-based agent needs (at least): A

A Knowledge-Based Agent Knowledge-Based Agents (Logical Agents) A knowledge-based agent needs (at least): A knowledge base An inference system A knowledge base (KB) is a set of representations of facts about the world. Each

54 views • 4 slides
Empiricism, Probability, and Knowledge of Arithmetic Sean Walsh Department of Logic and

Empiricism, Probability, and Knowledge of Arithmetic Sean Walsh Department of Logic and

I. Intro II. Avoiding Counting Assignments III. Avoiding Alignment IV. Summary + Questions Empiricism, Probability, and Knowledge of Arithmetic Sean Walsh Department of Logic and Philosophy of Science University of California, Irvine

396 views • 27 slides
Digital Design Discussion: Arithmetic Binary Arithmetic Floating-Point Arithmetic Binary

Digital Design Discussion: Arithmetic Binary Arithmetic Floating-Point Arithmetic Binary

Principles Of Digital Design Discussion: Arithmetic Binary Arithmetic Floating-Point Arithmetic Binary Arithmetic Same basic methodology as decimal arithmetic Important to know number representation Unsigned Signed

704 views • 11 slides

More recommend