Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu
Outline C The SNARG Definitions Construction END Background Option for SNARGs Security s Proof Systems Roadmap and Tools Framework Conclusions Motivation Definitions Building Blocks Open New Scheme History Properties Questions State-of-the-art Methodology 2
SNARK C The SNARG Definitions Construction END Background Option Option for SNARGs Security Tale 2 s s Prover Verifier 3
Delegated Computation Task computes f(x)= y Prover Verifier 4
Prover claims a statement Claim y =f(x) Prover Verifier 5
Verifier does not trust ? ? ? y ≠ f(x) f(x)= y Corrupted Verifier Prover 6
Proof Systems: Non-Interactive Arguments [Mic00] Computationally sound proofs Joe Kilian Silvio Micali [Kil92] A note on effj ffjcient zk-proofs and arguments 7
Non-Interactive Proof Protocol [Mic00] π Claim y =f(x) ROM Proof π π Prover Verifier 8
Pre-Processing for Efficient Arguments crs [Mic00] Computationally sound proofs G. Di Crescenzo J. Groth Joe Kilian Helger Lipmaa Silvio Micali [Kil92] [DCL08] A note on effj ffjcient Succinct NP proofs from an zk-proofs and extractability assumption arguments [Gro10] Short Pairing-based Non-interactive Zero-Knowledge Arguments 9
One round Interaction crs crs Prover π Verifier 10
Strong Assumptions [GW11] Separating succinct [Mic00] non-interactive Computationally arguments from all sound proofs falsifi fiable assumptions G. Di Crescenzo J. Groth Joe Kilian Helger Lipmaa Silvio Micali Craig Gentry Daniel Wichs [Kil92] [DCL08] A note on effj ffjcient Succinct NP proofs from an zk-proofs and extractability assumption arguments [Gro10] Short Pairing-based Non-interactive Zero-Knowledge Arguments 11
S uccinct N on-interactive ARG ument ! ! G G R R A A N N S S 12
Properties of a SNARG Computational Succinct Efficient Soundness Proof Verification 13
SNARG: Methodology Model crs SNARG Computational Model Target Statement under (Representation) R(y,w)=1 Non-Falsifiable Assumptions Computation y=F(x) PCP: Probabilistically Checkable Proofs ECRH: Extractable Collision-Resistant Hash QSP / SSP: Boolean Circuit SAT PKE: Power Knowledge of Exponent Quadratic / Square Span Programs QAP / SAP: Arithmetic Circuit SAT PKE: Power Knowledge of Exponent Q / S Arithmetic Programs 14
State-of-the-art ECRH PKE [BCI+13] SNARGs via linear interactive proofs B. Parno, R. Gennaro, J.Howell, C. Gentry, C. Gentry, B. Parno, M. M. Raykova Raykova N.Bitansky, A. Chiesa, Y. Ishai, R. Ostrovsky, O Paneth [GGPR13] QSP and succinct NIZKs without PCPs [PHGR13] Pinocchio: Nearly practical verifi fiable computation 15
Post-Quantum Succinct Arguments [GMNO18] [BCI+13] Lattice-based SNARGs via linear zk-SNARKs from SSP interactive proofs B. Parno, D. Boneh, Y. Ishai, J.Howell, C. Gentry, A. Sahai, D.J. Wu M. Raykova N.Bitansky, R. Gennaro, A. Chiesa, Y. Ishai, R. M. Minelli, Ostrovsky, O Paneth Anca Nitulescu, M. Orrù [BISW17] [PHGR13] Lattice-based SNARGs and their Pinocchio: Nearly practical verifi fiable application to more effj ffjcient computation obfuscation 16
Post-Quantum SNARGs SSP SNARG Computational Model Target Statement under (Representation) R(y,w)=1 Post-Quantum Assumptions [BISW17] PCP: Probabilistically Checkable Proofs (Strong) Vector Linear-Only Encryption [GMNO18] QSP / SSP: PKE on Lattice Encodings Quadratic / Square Span Programs Boolean Circuit SAT ? QAP / SAP: Arithmetic Circuit SAT Q / Square Arithmetic Programs 17
Post-Quantum Succinct Arguments [this work] Lattice-based [GMNO18] [BCI+13] zk-SNARGs Lattice-based SNARGs via linear from SAP zk-SNARKs from SSP interactive proofs B. Parno, D. Boneh, Y. Ishai, J.Howell, C. Gentry, A. Sahai, D.J. Wu M. Raykova N.Bitansky, Anca Nitulescu R. Gennaro, A. Chiesa, Y. Ishai, R. M. Minelli, Ostrovsky, O Paneth Anca Nitulescu, M. Orrù [BISW17] [PHGR13] Lattice-based SNARGs and their Pinocchio: Nearly practical verifi fiable application to more effj ffjcient computation obfuscation 18
Defining SNARGs C The SNARK Definitions Construction END Background Option Option Option for SNARGs Security Tale 1 Tale 1 Tale 2 s s s 19
SNARG with Preprocessing Algorithms 20
Correctness and Soundness y ≠ f(x) y = f(x) Verify π π Corrupted Verifier Prover 21
SNARG : S uccinct N on-Interactive AR Gument Succinctness proof size independent of NP witness size Non-Interactivity SNARG no exchange between prover and verifier ARGument soundness holds only against computationally bounded provers 22
Zero-Knowledge SNARG Succinctness proof size independent of NP witness size Non-Interactivity zk-SNARG no exchange between prover and verifier Zero-Knowledge does not leak anything about the witness Argument soundness holds only against computationally bounded provers 23
Zero-Knowledge Prover Simulator ≃ 24
SNARK : S uccinct N on-Interactive AR gument of K nowledge Succinctness Knowledge Soundness proof size independent a witness can be efficiently of NP witness size extracted from the prover Non-Interactivity zk-SNARK no exchange between prover and verifier Zero-Knowledge does not leak anything about the witness Argument soundness holds only against computationally bounded provers 25
SNARG BISW17 GM N O18 This work comparison Lattice-based Lattice-Based Lattice-Based SNARG zk-SNARK zk-SNARG from PCP from SSP from SAP computational model PCP SSP SAP assumption strong vector linear-only lattice PKE linear-only 1 vector of ciphertexts 5 ciphertexts 2 ciphertexts proof size zero-knowledge knowledge soundness arithmetic circuit quantum resilient
Framework intuition C The SNARG Framework Construction END Background Option Option Option for SNARGs Security Tale 1 Tale 1 Tale 2 s s s s r c SAP SNARG π / 27
Computation: Circuit SAT x y NP statement f(x)= y 0/1 Claim f(x)= y Prover Verifier 28
NP witness: Too long! x y NP statement f(x)= y 1 Witness for Circuit SAT Long Prover Verifier 29
Solve equivalent problem instead x y Polynomial problem Given v(x), t(x) . Circuit SAT Find P(x) such that solution P(x) t(x) = v(x) 0/1 Prover Verifier 30
Solve equivalent problem instead Polynomial problem Given v(x), t(x) . Find P(x) such that P(x) = Σ p i x i P(x) t(x) = v(x) Coefficients of solution P(x) p 0 , p 1 , p 2 , … p d Prover Verifier 31
Solution as big as witness for Circuit SAT Not Succinct P(x) = Σ p i x i Witness for Circuit SAT Coefficients of solution P(x) p 0 , p 1 , p 2 , … p d Prover Verifier 32
Evaluate polynomial in one point s s P(x) = Σ p i x i Coefficients of solution P(x) p 0 , p 1 , p 2 , … p d Prover Verifier 33
Evaluate polynomial in one point s Polynomial problem s P( s ) = Σ p i s i P(x) t(x) = v(x) P(s) t(s) = v(s) P(x) P(s) Prover Verifier 34
The evaluation point should be hidden s P’ ≠ P(x) P’ P(x) Prover Verifier 35
The evaluation point should be hidden s P’ t(s) = t(s) v(s) s Enc( s ) P’ P(x) P’ Prover Verifier 36
Encoding of evaluation point s Enc( s ) P(s) = ? P(x) Prover Verifier 37
Encoding Properties Enc( P (s)) Enc(s 2 ) Enc(s d ) Enc(s) Enc(s i ) = Σ p i Encoding: ● linearly homomorphic Prover Verifier 38
Succinct Proof Enc( P (s)) Enc(s 2 ) Enc(s d ) Enc(s) Proof π = e z i s t n a t s n o f o C o r P Prover Verifier 39
Verification Polynomial problem Given v(x), t(x) . Find P(x) such that P(x) t(x) = v(x) P π = v(s) P t (s) Encoding: ● linearly homomorphic ● quadratic root detection Prover Verifier ● image verification 40
Security 41
Non-falsifiable Assumption: Linear-Only Enc(m 1 ) Enc(m 2 ) Enc(m n ) L-O Enc( M ) a 1 a 2 a d M = m 1 + m 2 + + m d 42
Our SNARG C The SNARG Definitions Construction END Background Option Option Option for SNARGs Security Tale 1 Tale 1 Tale 2 s s s 43
Polynomial problem Square Arithmetic Programs Computational Model For Arithmetic Circuits 44
Arithmetic Circuit Satisfiability Problem a 1 a 2 a 3 a 4 + + + a 5 + + , a 3 )= a 6 f(a 1 statement: a 1 , a 3 , a 6 a 6 witness: a 2 , a 4 , a 5 45
NEW Representation: Square Arithmetic Program SAP a 1 a 2 a 3 a 4 + + Square Arithmetic Program a 5 SAP + a 6 46
Polynomial problem Encodings Lattice-Based Assumptions 47
Encodings Instantiations: Discrete Log DLog Group Linearly homomorphic: Quadratic root detection ( public ) ? s 2 s d g s g g ? 48
Post-Quantum: Encryption Scheme Encryption scheme Quadratic root detection needs sk Linearly homomorphic: ? E pk (s) E pk (s 2 ) E pk (s d ) E (h(s)) E (p(s)) 49
SNARK from SAP p(s), h(s) Proof: Circuit Evaluate for f( ⋅ ) in a point ? t (s)h(s)=p(s) p(s)= V(s) 2 -1 Find h(x) Verify Verify t(x)h(x)=p(x) h(s) the proof SAP p(s) 50
Proof: Evaluate solution in s a 1 a 2 a 3 a 4 α s α s 2 α s d + + + a 5 + + a 6 A π = E ( α V (s)) 51
Recommend
More recommend