lattice based zero knowledge snargs for arithmetic
play

Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca - PowerPoint PPT Presentation

Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu Outline C The SNARG Definitions Construction END Background Option for SNARGs Security s Proof Systems Roadmap and Tools Framework Conclusions Motivation


  1. Lattice-Based zero-knowledge SNARGs for Arithmetic Circuits Anca Nitulescu

  2. Outline C The SNARG Definitions Construction END Background Option for SNARGs Security s Proof Systems Roadmap and Tools Framework Conclusions Motivation Definitions Building Blocks Open New Scheme History Properties Questions State-of-the-art Methodology 2

  3. SNARK C The SNARG Definitions Construction END Background Option Option for SNARGs Security Tale 2 s s Prover Verifier 3

  4. Delegated Computation Task computes f(x)= y Prover Verifier 4

  5. Prover claims a statement Claim y =f(x) Prover Verifier 5

  6. Verifier does not trust ? ? ? y ≠ f(x) f(x)= y Corrupted Verifier Prover 6

  7. Proof Systems: Non-Interactive Arguments [Mic00] Computationally sound proofs Joe Kilian Silvio Micali [Kil92] A note on effj ffjcient zk-proofs and arguments 7

  8. Non-Interactive Proof Protocol [Mic00] π Claim y =f(x) ROM Proof π π Prover Verifier 8

  9. Pre-Processing for Efficient Arguments crs [Mic00] Computationally sound proofs G. Di Crescenzo J. Groth Joe Kilian Helger Lipmaa Silvio Micali [Kil92] [DCL08] A note on effj ffjcient Succinct NP proofs from an zk-proofs and extractability assumption arguments [Gro10] Short Pairing-based Non-interactive Zero-Knowledge Arguments 9

  10. One round Interaction crs crs Prover π Verifier 10

  11. Strong Assumptions [GW11] Separating succinct [Mic00] non-interactive Computationally arguments from all sound proofs falsifi fiable assumptions G. Di Crescenzo J. Groth Joe Kilian Helger Lipmaa Silvio Micali Craig Gentry Daniel Wichs [Kil92] [DCL08] A note on effj ffjcient Succinct NP proofs from an zk-proofs and extractability assumption arguments [Gro10] Short Pairing-based Non-interactive Zero-Knowledge Arguments 11

  12. S uccinct N on-interactive ARG ument ! ! G G R R A A N N S S 12

  13. Properties of a SNARG Computational Succinct Efficient Soundness Proof Verification 13

  14. SNARG: Methodology Model crs SNARG Computational Model Target Statement under (Representation) R(y,w)=1 Non-Falsifiable Assumptions Computation y=F(x) PCP: Probabilistically Checkable Proofs ECRH: Extractable Collision-Resistant Hash QSP / SSP: Boolean Circuit SAT PKE: Power Knowledge of Exponent Quadratic / Square Span Programs QAP / SAP: Arithmetic Circuit SAT PKE: Power Knowledge of Exponent Q / S Arithmetic Programs 14

  15. State-of-the-art ECRH PKE [BCI+13] SNARGs via linear interactive proofs B. Parno, R. Gennaro, J.Howell, C. Gentry, C. Gentry, B. Parno, M. M. Raykova Raykova N.Bitansky, A. Chiesa, Y. Ishai, R. Ostrovsky, O Paneth [GGPR13] QSP and succinct NIZKs without PCPs [PHGR13] Pinocchio: Nearly practical verifi fiable computation 15

  16. Post-Quantum Succinct Arguments [GMNO18] [BCI+13] Lattice-based SNARGs via linear zk-SNARKs from SSP interactive proofs B. Parno, D. Boneh, Y. Ishai, J.Howell, C. Gentry, A. Sahai, D.J. Wu M. Raykova N.Bitansky, R. Gennaro, A. Chiesa, Y. Ishai, R. M. Minelli, Ostrovsky, O Paneth Anca Nitulescu, M. Orrù [BISW17] [PHGR13] Lattice-based SNARGs and their Pinocchio: Nearly practical verifi fiable application to more effj ffjcient computation obfuscation 16

  17. Post-Quantum SNARGs SSP SNARG Computational Model Target Statement under (Representation) R(y,w)=1 Post-Quantum Assumptions [BISW17] PCP: Probabilistically Checkable Proofs (Strong) Vector Linear-Only Encryption [GMNO18] QSP / SSP: PKE on Lattice Encodings Quadratic / Square Span Programs Boolean Circuit SAT ? QAP / SAP: Arithmetic Circuit SAT Q / Square Arithmetic Programs 17

  18. Post-Quantum Succinct Arguments [this work] Lattice-based [GMNO18] [BCI+13] zk-SNARGs Lattice-based SNARGs via linear from SAP zk-SNARKs from SSP interactive proofs B. Parno, D. Boneh, Y. Ishai, J.Howell, C. Gentry, A. Sahai, D.J. Wu M. Raykova N.Bitansky, Anca Nitulescu R. Gennaro, A. Chiesa, Y. Ishai, R. M. Minelli, Ostrovsky, O Paneth Anca Nitulescu, M. Orrù [BISW17] [PHGR13] Lattice-based SNARGs and their Pinocchio: Nearly practical verifi fiable application to more effj ffjcient computation obfuscation 18

  19. Defining SNARGs C The SNARK Definitions Construction END Background Option Option Option for SNARGs Security Tale 1 Tale 1 Tale 2 s s s 19

  20. SNARG with Preprocessing Algorithms 20

  21. Correctness and Soundness y ≠ f(x) y = f(x) Verify π π Corrupted Verifier Prover 21

  22. SNARG : S uccinct N on-Interactive AR Gument Succinctness proof size independent of NP witness size Non-Interactivity SNARG no exchange between prover and verifier ARGument soundness holds only against computationally bounded provers 22

  23. Zero-Knowledge SNARG Succinctness proof size independent of NP witness size Non-Interactivity zk-SNARG no exchange between prover and verifier Zero-Knowledge does not leak anything about the witness Argument soundness holds only against computationally bounded provers 23

  24. Zero-Knowledge Prover Simulator ≃ 24

  25. SNARK : S uccinct N on-Interactive AR gument of K nowledge Succinctness Knowledge Soundness proof size independent a witness can be efficiently of NP witness size extracted from the prover Non-Interactivity zk-SNARK no exchange between prover and verifier Zero-Knowledge does not leak anything about the witness Argument soundness holds only against computationally bounded provers 25

  26. SNARG BISW17 GM N O18 This work comparison Lattice-based Lattice-Based Lattice-Based SNARG zk-SNARK zk-SNARG from PCP from SSP from SAP computational model PCP SSP SAP assumption strong vector linear-only lattice PKE linear-only 1 vector of ciphertexts 5 ciphertexts 2 ciphertexts proof size zero-knowledge knowledge soundness arithmetic circuit quantum resilient

  27. Framework intuition C The SNARG Framework Construction END Background Option Option Option for SNARGs Security Tale 1 Tale 1 Tale 2 s s s s r c SAP SNARG π / 27

  28. Computation: Circuit SAT x y NP statement f(x)= y 0/1 Claim f(x)= y Prover Verifier 28

  29. NP witness: Too long! x y NP statement f(x)= y 1 Witness for Circuit SAT Long Prover Verifier 29

  30. Solve equivalent problem instead x y Polynomial problem Given v(x), t(x) . Circuit SAT Find P(x) such that solution P(x) t(x) = v(x) 0/1 Prover Verifier 30

  31. Solve equivalent problem instead Polynomial problem Given v(x), t(x) . Find P(x) such that P(x) = Σ p i x i P(x) t(x) = v(x) Coefficients of solution P(x) p 0 , p 1 , p 2 , … p d Prover Verifier 31

  32. Solution as big as witness for Circuit SAT Not Succinct P(x) = Σ p i x i Witness for Circuit SAT Coefficients of solution P(x) p 0 , p 1 , p 2 , … p d Prover Verifier 32

  33. Evaluate polynomial in one point s s P(x) = Σ p i x i Coefficients of solution P(x) p 0 , p 1 , p 2 , … p d Prover Verifier 33

  34. Evaluate polynomial in one point s Polynomial problem s P( s ) = Σ p i s i P(x) t(x) = v(x) P(s) t(s) = v(s) P(x) P(s) Prover Verifier 34

  35. The evaluation point should be hidden s P’ ≠ P(x) P’ P(x) Prover Verifier 35

  36. The evaluation point should be hidden s P’ t(s) = t(s) v(s) s Enc( s ) P’ P(x) P’ Prover Verifier 36

  37. Encoding of evaluation point s Enc( s ) P(s) = ? P(x) Prover Verifier 37

  38. Encoding Properties Enc( P (s)) Enc(s 2 ) Enc(s d ) Enc(s) Enc(s i ) = Σ p i Encoding: ● linearly homomorphic Prover Verifier 38

  39. Succinct Proof Enc( P (s)) Enc(s 2 ) Enc(s d ) Enc(s) Proof π = e z i s t n a t s n o f o C o r P Prover Verifier 39

  40. Verification Polynomial problem Given v(x), t(x) . Find P(x) such that P(x) t(x) = v(x) P π = v(s) P t (s) Encoding: ● linearly homomorphic ● quadratic root detection Prover Verifier ● image verification 40

  41. Security 41

  42. Non-falsifiable Assumption: Linear-Only Enc(m 1 ) Enc(m 2 ) Enc(m n ) L-O Enc( M ) a 1 a 2 a d M = m 1 + m 2 + + m d 42

  43. Our SNARG C The SNARG Definitions Construction END Background Option Option Option for SNARGs Security Tale 1 Tale 1 Tale 2 s s s 43

  44. Polynomial problem Square Arithmetic Programs Computational Model For Arithmetic Circuits 44

  45. Arithmetic Circuit Satisfiability Problem a 1 a 2 a 3 a 4 + + + a 5 + + , a 3 )= a 6 f(a 1 statement: a 1 , a 3 , a 6 a 6 witness: a 2 , a 4 , a 5 45

  46. NEW Representation: Square Arithmetic Program SAP a 1 a 2 a 3 a 4 + + Square Arithmetic Program a 5 SAP + a 6 46

  47. Polynomial problem Encodings Lattice-Based Assumptions 47

  48. Encodings Instantiations: Discrete Log DLog Group Linearly homomorphic: Quadratic root detection ( public ) ? s 2 s d g s g g ? 48

  49. Post-Quantum: Encryption Scheme Encryption scheme Quadratic root detection needs sk Linearly homomorphic: ? E pk (s) E pk (s 2 ) E pk (s d ) E (h(s)) E (p(s)) 49

  50. SNARK from SAP p(s), h(s) Proof: Circuit Evaluate for f( ⋅ ) in a point ? t (s)h(s)=p(s) p(s)= V(s) 2 -1 Find h(x) Verify Verify t(x)h(x)=p(x) h(s) the proof SAP p(s) 50

  51. Proof: Evaluate solution in s a 1 a 2 a 3 a 4 α s α s 2 α s d + + + a 5 + + a 6 A π = E ( α V (s)) 51

Recommend


More recommend