Ze Zero-Kn Knowledge Pr Proofs on on Se Secr cret-Sh Shared - PowerPoint PPT Presentation

Ze Zero-Kn Knowledge Pr Proofs on on Se Secr cret-Sh Shared Data ta via via Fully Lin inear ear PCPs PCPs Dan Boneh Elette Boyle Henry Corrigan-Gibbs Niv Gilboa Yuval Ishai Ben-Gurion Stanford IDC Herzliya Stanford Technion University

Rev Review ew Zero-knowledge proofs [GMR89] Prover 𝑄 Verifier 𝑊 3-coloring of 𝐻 𝐻 mplete. Honest 𝑄 convinces honest 𝑊 . Co Compl Dishonest 𝑄 ∗ rarely fools honest 𝑊 . So Sound. Dishonest 𝑊 ∗ learns only that 𝐻 ∈ 3COL . ZK. ZK à 𝑊 ∗ le lse about 𝐻 learns ns no nothing hing els 36

Rev Review ew Zero-knowledge proofs [GMR89] Prover 𝑄 Verifier 𝑊 3-coloring of 𝐻 𝐻 “ 𝐻 is 3-colorable” mplete. Honest 𝑄 convinces honest 𝑊 . Co Compl Dishonest 𝑄 ∗ rarely fools honest 𝑊 . Sound. So Dishonest 𝑊 ∗ learns only that 𝐻 ∈ 3COL . ZK ZK. à 𝑊 ∗ le lse about 𝐻 learns ns no nothing hing els 37

Rev Review ew Zero-knowledge proofs [GMR89] Prover 𝑄 Verifier 𝑊 3-coloring of 𝐻 𝐻 “ 𝐻 is 3-colorable” mplete. Honest 𝑄 convinces honest 𝑊 . Co Compl Dishonest 𝑄 ∗ rarely fools honest 𝑊 . Sound. So Dishonest 𝑊 ∗ learns only that 𝐻 ∈ 3COL . ZK ZK. à 𝑊 ∗ le lse about 𝐻 learns ns no nothing hing els 38

Th This is pa pape per Zero-knowledge proofs on di distribu buted data Verifier 𝑊 * 𝐻 * Prover 𝑄 Verifier 𝑊 3-coloring , of 𝐻 * + 𝐻 , 𝐻 , mplete. Honest 𝑄 convinces honest 𝑊 * , 𝑊 Compl Co , . Dishonest 𝑄 ∗ rarely fools honest (𝑊 * , 𝑊 , ) . So Sound. ∗ (or 𝑊 ∗ ) learns only that 𝐻 * + 𝐻 , ∈ 3COL . ZK. Dishonest 𝑊 Strong ZK Str * , à 𝑊 lse about 𝐻 , * le learns ns no nothing hing els 39

This Th is pa pape per Zero-knowledge proofs on di distribu buted data Verifier 𝑊 * 𝐻 * Prover 𝑄 Verifier 𝑊 3-coloring , of 𝐻 * + 𝐻 , “ 𝐻 * + 𝐻 , is 3-colorable” 𝐻 , mplete. Honest 𝑄 convinces honest 𝑊 * , 𝑊 Compl Co , . Dishonest 𝑄 ∗ rarely fools honest (𝑊 * , 𝑊 , ) . So Sound. ∗ (or 𝑊 ∗ ) learns only that 𝐻 * + 𝐻 , ∈ 3COL . ZK. Dishonest 𝑊 Strong ZK Str * , à 𝑊 lse about 𝐻 , * le learns ns no nothing hing els 40

This Th is pa pape per Zero-knowledge proofs on di distribu buted data Verifier 𝑊 * 𝐻 * Prover 𝑄 Verifier 𝑊 3-coloring , of 𝐻 * + 𝐻 , “ 𝐻 * + 𝐻 , is 3-colorable” 𝐻 , mplete. Honest 𝑄 convinces honest 𝑊 * , 𝑊 Compl Co , . Dishonest 𝑄 ∗ rarely fools honest (𝑊 * , 𝑊 , ) . So Sound. ∗ (or 𝑊 ∗ ) learns only that 𝐻 * + 𝐻 , ∈ 3COL . ZK. Dishonest 𝑊 Strong ZK Str * , à 𝑊 lse about 𝐻 , * le learns ns no nothing hing els 41

This Th is pa pape per Zero-knowledge proofs on di distribu buted data Verifier 𝑊 * 𝐻 * Prover 𝑄 Verifier 𝑊 3-coloring , of 𝐻 * + 𝐻 , “ 𝐻 * + 𝐻 , is 3-colorable” 𝐻 , 𝒍 -ro rotocol = As in other multiparty protocols roun und p d pro oin = Verifiers’ messages to prover are random strings Publ Public ic coin More Mo re t than t two ve verif rifie iers rs 42

Specia Sp ial case Zero-knowledge proofs on sec secret et-sh shared ed data Language ℒ ⊆ 𝔾 5 , for finite field 𝔾 . 𝑦 * ∈ 𝔾 5 Verifier 𝑊 * 𝑦 ∈ 𝔾 5 Prover for 𝑦 = 𝑦 * + 𝑦 , 𝑦 , ∈ 𝔾 5 Verifier 𝑊 , “ 𝑦 * + 𝑦 , ∈ ℒ ” 43

ZK proofs on distributed data Applications and prior implicit constructions Com Communic ication ion Cos Cost ge ℒ La Langu guage Applic Ap icat ation ion Pr Prior This wor Th ork PIR writing, Weight-one Ω(𝑜) 𝑃(1) private messaging vectors in 𝔾 5 [OS97], [BGI16], Riposte, … 0,1 5 ⊆ 𝔾 5 Private statistics, Ω(𝑜) 𝑃(log 𝑜) private ad targeting for large 𝔾 Adnostic, Adscale, Prio, … Also: New application to malicious-secure MPC. Al 44

ZK proofs on distributed data Applications and prior implicit constructions Com Communic ication ion Cos Cost ge ℒ La Langu guage Applic Ap icat ation ion Prior Pr This wor Th ork Used in the PIR writing, Firefox Weight-one Ω(𝑜) 𝑃(1) private messaging vectors in 𝔾 5 browser [OS97], [BGI16], Riposte, … 0,1 5 ⊆ 𝔾 5 Private statistics, Ω(𝑜) 𝑃(log 𝑜) private ad targeting for large 𝔾 Adnostic, Adscale, Prio, … Also: New application to malicious-secure MPC. Al 45

ZK proofs on distributed data Applications and prior implicit constructions Com Communic ication ion Cos Cost ge ℒ La Langu guage Applic Ap icat ation ion Pr Prior This wor Th ork PIR writing, Weight-one Ω(𝑜) 𝑃(1) private messaging vectors in 𝔾 5 [OS97], [BGI16], Riposte, … 0,1 5 ⊆ 𝔾 5 Private statistics, Ω(𝑜) 𝑃(log 𝑜) private ad targeting for large 𝔾 Adnostic, Adscale, Prio, … Also: New application to malicious-secure MPC. Al 46

Selected results: New ZK proofs Let 𝔾 be a finite field. Let ℒ ⊆ 𝔾 5 be a language. ( 𝑜 ≪ 𝔾 ) m. If ℒ is recognized by circuits of size |𝓓| , there is a Th Theorem. public-coin ZK proof on distributed data for ℒ with: 𝑃(1) rounds and • communication cost 𝑷(|𝓓|) . (elements of 𝔾 ) • m. If ℒ has a de two arithmetic circuit, there is a Th Theorem. degre gree-tw public-coin ZK proof on distributed data for ℒ with: 𝑃(log 𝑜) rounds and • communication cost 𝑷(𝐦𝐩𝐡 𝒐) . (Improves: Ω(𝑜) [BC17]) • 47

Selected results: New ZK proofs Let 𝔾 be a finite field. Let ℒ ⊆ 𝔾 5 be a language. ( 𝑜 ≪ 𝔾 ) m. If ℒ is recognized by circuits of size |𝓓| , there is a Th Theorem. public-coin ZK proof on distributed data for ℒ with: 𝑃(1) rounds and • communication cost 𝑷(|𝓓|) . (elements of 𝔾 ) • m. If ℒ has a de two arithmetic circuit, there is a Theorem. Th degre gree-tw • Generalizes special-purpose schemes. [CB17] public-coin ZK proof on distributed data for ℒ with: 𝑃(log 𝑜) rounds and • Non-trivial extension to setting in which • communication cost 𝑷(𝐦𝐩𝐡 𝒐) . (Improves: Ω(𝑜) [BC17]) • prover and some verifiers collude. 48

Selected results: New ZK proofs Let 𝔾 be a finite field. Let ℒ ⊆ 𝔾 5 be a language. ( 𝑜 ≪ 𝔾 ) m. If ℒ is recognized by circuits of size |𝓓| , there is a Th Theorem. public-coin ZK proof on distributed data for ℒ with: 𝑃(1) rounds and • communication cost 𝑷(|𝓓|) . (elements of 𝔾 ) • m. If ℒ has a de two arithmetic circuit, there is a Th Theorem. degre gree-tw public-coin ZK proof on distributed data for ℒ with: 𝑃(log 𝑜) rounds and • communication cost 𝑷(𝐦𝐩𝐡 𝒐) . (Improves: Ω(𝑜) [BC17]) • 49

Selected results: New ZK proofs Let 𝔾 be a finite field. Let ℒ ⊆ 𝔾 5 be a language. ( 𝑜 ≪ 𝔾 ) m. If ℒ is recognized by circuits of size |𝓓| , there is a Th Theorem. public-coin ZK proof on distributed data for ℒ with: 𝑃(1) rounds and • communication cost 𝑷(|𝓓|) . (elements of 𝔾 ) • m. If ℒ has a de two arithmetic circuit, there is a Th Theorem. degre gree-tw public-coin ZK proof on distributed data for ℒ with: 𝑃(log 𝑜) rounds and • communication cost 𝑷(𝐦𝐩𝐡 𝒐) . (Improves: Ω(𝑜) [BC17]) • 50

Selected results: New ZK proofs Let 𝔾 be a finite field. Let ℒ ⊆ 𝔾 5 be a language. ( 𝑜 ≪ 𝔾 ) m. If ℒ is recognized by circuits of size |𝓓| , there is a Th Theorem. public-coin ZK proof on distributed data for ℒ with: 𝑃(1) rounds and • communication cost 𝑷(|𝓓|) . (elements of 𝔾 ) • m. If ℒ has a de two arithmetic circuit, there is a Theorem. Th degre gree-tw public-coin ZK proof on distributed data for ℒ with: 𝑃(log 𝑜) rounds and 𝒍 • 𝒐 𝑷 𝟐/𝒍 communication cost 𝑷(𝐦𝐩𝐡 𝒐) . (Improves: Ω(𝑜) [BC17]) • 51

Selected results: New ZK proofs Let 𝔾 be a finite field. Let ℒ ⊆ 𝔾 5 be a language. ( 𝑜 ≪ 𝔾 ) m. If ℒ is recognized by circuits of size |𝓓| , there is a Th Theorem. Our proofs apply to a much larger class public-coin ZK proof on distributed data for ℒ with: of “structured” languages (see paper) 𝑃(1) rounds and • Circuits with degree 𝑃(1) or repetition or … • communication cost 𝑷(|𝓓|) . (elements of 𝔾 ) • m. If ℒ has a de two arithmetic circuit, there is a Th Theorem. degre gree-tw public-coin ZK proof on distributed data for ℒ with: 𝑃(log 𝑜) rounds and 𝒍 • 𝒐 𝑷 𝟐/𝒍 communication cost 𝑷(𝐦𝐩𝐡 𝒐) . (Improves: Ω(𝑜) [BC17]) • 52

Th This s talk • ZK ZK proofs on distr tribute ted data ata • Fully linear PCPs • Application: Three-party computation 53

Th This s talk • ZK proofs on distributed data • Ful Fully linea inear r PCPs • Application: Three-party computation 54

Constructing ZK proofs on distributed data Ste Step 1. 1. Define “fully linear PCPs” • A strengthening of linear PCPs [IKO07] • We then show: Efficient fully Efficient ZK proof on implies linear PCP for ℒ distributed data for ℒ Ste Step 2 2. Construct new fully linear PCPs 55