Short Pairing-based Non-interactive Zero-knowledge Arguments Proving circuit satisfaibility in zero-knowledge
Zero-knowledge • In a zero knowledge protocol a prover can convince a verifier that some statement is true without leaking any side information. • The prover sends an argument (or arguments). • The verifier gets said argument and decides if it is a valid argument.
Non-interactive protocol • Most zero-knowledge (ZK) protocols consist of a discorse between the prover and verifier. • Interactive protocols are problematic in case of multiple independent verifiers. • In non-interactive protocol the prover is the only one sending arguments.
Circuit satisfiability • Given a Boolean circuit, the protocol will verify that the prover has a satisfying assignment to the input variables. • Since NAND is a universal gate, we need only solve the problem for NAND circuits. • In our protocol the assigned value of the wires are committed in ZK.
Schematic description of the process The prover • The prover holds assignments to all the wires in the circuit. • A self loop will be added to the output wire of the circuit – output = NAND(output, new_varible), forcing the output wire to be 1 (true) by consistency. • The prover will commit the assignment values via group elements. a 1 a 3 u 1 a 4 u 3 b 1 b 3 b 4 a 2 NV u 2 b 2
The commited arguments by development order • A general “knowledge argument” generator, input is a vector of to-be-commited values, output is 2 group elements. • “Restricted argument” module, which is a knowledge commitment for specific subsets of [1,...,q] ( 𝑟 = 𝑜 2 + 3𝑜 − 2 ) • “Product & Permutation arguments” -uses restricted arguments. Proves consictency.
Representing circuits • A circuit will be represented as an array of NAND gates. • Each NAND gate is a 3 wires tuple, while wires are represented as their indexes.
Common reference string • Generated by a trusted party, and can be verified to be well-formed. • Holds data used in both commitment and verification (Groups description, generators, the mapping function and more). • Contains the necessary group elements to bild and verifiy the restricted arguments.
The verifier • Will check consistency of the assignments via the arguments using the homomorphic property of the group elements, and the CRS. – All assigned values are in {0,1} to check for every value 𝑏 = 𝑏 2 . – All NAND gates are respected ( 𝑏 𝑗 𝑐 𝑗 = 1 − 𝑣 𝑗 ) (including the self loop). – Permutation property- wires of the same origin have same assignment. – More.
Security of the protocol • To show the protocol is secure, one needs to show the following: – The prover can’t easily fool the varifier into thinking he has the assingments. – The varifier can’t easily learn the assingments (or any part of them) by the arguments sent to it. • These can be proved using two assumtions: q-PKE and q-CPDH.
Complexity • In the protocol we implement the space complexity of the sent arguments is constant (42 group elements). • Space complexity of the CRS is quadric to the circuit size- 𝑃(𝑜 2 ) . • This is fine when CRS is not replaced often • It is possible to make the CRS shorter, by making the arguments longer. The optimal overall complexity will 2 be 𝑃(𝑜 3 ) o 𝑜 is the size of the NAND circuit (constant factor of the original circuit.)
Later Modifications • Limpaa suggested using proggresion-free sets and managed to improve the CRS length to a given argument length. – For a constant size of argument length the CRS length is down to 𝑜 1+𝜋 1 2 1 3 +𝜋 1 – For arguments of length Θ 𝑜 3 the CRS length is 𝑜 1 1 2 +𝜋 1 – For arguments of length Θ 𝑜 2 the CRS length is 𝑜
Our contribution • We implement the basic protocol presented by Groth. • We will have two separate processes representing the prover and the verifier. • Both have access to a file containing the CRS. • Arguments generated by the prover will be stored in a file, which will be given as input to the verifier. • The verifier will decide weather the prover actualy has an assignment satisfying the circuit.
Testing method • We will check the system by commiting to both valid and invalid arguments. We will check whether the verifier manages to tell which is which.
Recommend
More recommend
