Sub-Linear Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits Carsten Baum, Jonathan Bootle, Andrea Cerulli, Rafael del Pino, Jens Groth and Vadim Lyubashevsky
Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits 2
Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits Commitment/hash from SIS: = • Binding/collision resistant by SIS • Hiding by Leftover Hash Lemma • Homomorphic • Compressing [A96] 3
Lattice-Based Statement Zero-Knowledge Arguments for Arithmetic Circuits Witness Prover Verifier 4
Lattice-Based Statement Zero-Knowledge Arguments for Arithmetic Circuits Witness Prover Verifier 5
Lattice-Based Statement Zero-Knowledge Arguments for Arithmetic Circuits Completeness: An honest prover Prover Verifier convinces the verifier. 6
Lattice-Based Statement Zero-Knowledge Arguments for Arithmetic Circuits Soundness: A dishonest prover never convinces the verifier. Completeness: An honest prover Prover Verifier Computational guarantee convinces the verifier. -> argument 7
Lattice-Based Statement Zero-Knowledge Arguments for Arithmetic Circuits Knowledge Soundness: The prover must know a witness to convince the Completeness: verifier. An honest prover Prover Verifier -> Proof/argument convinces the verifier. of knowledge 8
Lattice-Based Statement Zero-Knowledge Arguments for Arithmetic Circuits Witness Knowledge Soundness: The prover must know a witness to convince the Completeness: verifier. An honest prover Prover Verifier -> Proof/argument convinces the verifier. Zero-knowledge: of knowledge 9 Nothing but the truth of the statement is revealed.
Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits 3 Why arithmetic circuits? • C to circuit compilers Statement • Models cryptographic computations • Witness existence? NP-Complete Witness 10
Lattice-Based Statement Zero-Knowledge Arguments for Arithmetic Circuits Interaction Prover Verifier Communication Computation Computation Prover Verifier Cryptographic 11 Assumption
Results Table Expected Communication Prover Verifier # Moves Complexity Complexity [DL12] [BKLP15] This Work 12
Arithmetic Circuit Argument Featured in prior works Arithmetic Circuits DLOG Protocols Information Theoretic Proofs Matrix Equations The interesting parts Extension Fields Polynomials Proof of Knowledge Commitments Rejection Sampling Protocol 13
Proof of Knowledge Statement Witness 14
Proof of Knowledge … 15
Typical Proofs of Knowledge Completeness: Knowledge Soundness: Soundness None for us* Slack 16
Simplistic Protocol P V Rejection Sampling 17
Our Protocol 18
Our Protocol 19
Proof-of-Knowledge Performance Expected Communication Prover Verifier # Moves Complexity Complexity [BDLN16] [CDXY17] This Work This Work 20
Arithmetic Circuit Argument Arithmetic Circuits Matrix Equations Extension Fields Polynomials Proof of Knowledge Commitments Rejection Sampling Protocol 21
High Level Structure L R O 3 5 15 7 5 O = 15 12 180 15 12 5 7 12 + = 180 22
High Level Structure L R O 3 5 15 7 5 O = 15 12 180 15 12 5 7 12 + = 180 23
High Level Structure L R O O = + = 24
High Level Structure L R O O = + = 25
Matrix Dimensions ~√N ~√N ~√N ~√N 26
Paradigm from Previous Arguments 2 6 6 2 0 1 9 2 7 4 5 3 7 2 8 3 6 1 6 9 5 7 6 7 1 4 2 6 8 3 6 3 7 2 7 5 3 2 4 7 5 2 8 7 3 1 0 4 7 3 27
Protocol Flow 1. Commit to wire values P V 2. Commit to polynomial coefficients 3. Commit to mod p correction factors Check size bounds and linear combinations 4. Compute linear combinations, do , Proof of Knowledge rejection sampling, proof of knowledge
Protocol Flow √N √N P V √N √N O(1) √N O(1) , Proof of Knowledge
Parameter Choice q, modulus for SIS Polynomial- binding space for SIS commitments sized gap maximum size of openings from knowledge-extractor maximum size of honest prover committed values p, arithmetic circuits modulo p 30
Additional Issues Schwarz-Zippel Lemma: Not negligible! Negligible! Empty Empty Rubbish Rubbish 31
32
Thanks! Expected Communication Prover Complexity Verifier Complexity # Moves • General Statements • Sub-linear proofs • Relies on SIS 33
Recommend
More recommend
