Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview - PowerPoint PPT Presentation

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019

Overview • Zero-Knowledge • Proving a property about an element without revealing • Lelantus • ZCoin’s Zero-Knowledge protocol • Prove that transactions are valid, without revealing anything

Zero-Knowledge Proofs (ZKP) • A proof about a property without revealing it • Zero-Knowledge is not magic • We have already seen several instances of ZKP • Signatures are ZK proofs of knowing the secret key • In ECC, the secret key is the discrete logarithm of a the public key A = aG • Also called proof of knowledge of discrete logarithm

Zero-Knowledge Proofs (ZKP) • Another example we saw: • Pedersen Commitment X = aG + λ H • We can proof that without revealing by using a = 0 λ X as public key in a signature ( s , R ), sH = R + ℋ ( . . . ) X • Those techniques are called Non-Interactive Signature- based Proof-of-Knowledge (NI SPK)

Zero-Knowledge Proofs (ZKP) • A more general approach is the so called -protocol Σ • A three way protocol Alice Bob c = commit ( b ) some value random b r r compute for f ( b , r ) some function f f ( b , r ) Accepts if conditions are met

Zero-Knowledge Proofs (ZKP) • A Zero-Knowledge -protocol to show knowledge of Σ discrete logarithm of P = pG Alice, knows Bob, knows p P random value r R = rG Commit via ECC Point random challenge c c compute s f ( r , c , p ) = s = r + cp Accepts if sG ? = R + cP

Zero-Knowledge Proofs (ZKP) • A Zero-Knowledge -protocol to show knowledge of Σ discrete logarithm of P = pG Alice, knows Bob, knows p P random value r R = rG Commit via ECC Point random challenge c c compute s f ( r , c , p ) = s = r + cp Accepts if sG ? = R + cP Same formula as Schnorr Signature

Zero-Knowledge Proofs (ZKP) • A Zero-Knowledge -protocol to show knowledge of Σ discrete logarithm of P = pG Alice, knows p random value , commit via ECC Point r R = rG challenge is a hash using input : c R , P c = ℋ ( R | P ) With , the Schnorr Signature is s = r + cp = r + ℋ ( . . . ) p ( s , R ) Hashes can be used to transform an interactive Zero Knowledge ⇒ proof into a non-interactive proof

Zero-Knowledge Proofs (ZKP) • Zero-knowledge proofs are often shown as -protocol Σ 1. Commit some value 2. accept a challenge 3. send a function • With a hash it can be turned into a Non-Interactive proof

-protocol for Pedersen Σ commit as 0 or 1 • Assume we have a Pedersen Commitment X = aG + λ H • Before, we have seen a ZKP to show that a = 0 • Now, we look at a ZKP to show that a = 0 or a = 1

-protocol for Pedersen Σ commit as 0 or 1 • A ZKP to show that a = 0 or a = 1 • How can that work?

-protocol for Pedersen Σ commit as 0 or 1 • A ZKP to show that a = 0 or a = 1 • How can that work? • The one thing a = 0 and a = 1 have in common: • We proof that a (1 − a ) = 0

-protocol for Pedersen Σ Commitment as 0 or 1 , proof C = mG + rH m ∈ {0,1} Step 1 • Alice (knows ) C = mG + rH • generates random a , s , t ∈ ℤ • commit and send • c a = aG + sH • c b = ( am ) G + tH

-protocol for Pedersen Σ Commitment as 0 or 1 , proof C = mG + rH m ∈ {0,1} Step 1 • c a = aG + sH • c b = ( am ) G + tH Step 2 x send challenge ← x

-protocol for Pedersen Σ Commitment as 0 or 1 , proof C = mG + rH m ∈ {0,1} Step 1 • c a = aG + sH • c b = ( am ) G + tH x Step 2: random ← x Step 3 f = mx + a f , z a , z b z a = rx + s → z b = r ( x − f ) + t

-protocol for Pedersen Σ Commitment as 0 or 1 , proof C = mG + rH m ∈ {0,1} Step 1 • c a = aG + sH • c b = ( am ) G + tH x Step 2: random ← x Step 3 f = mx + a f , z a , z b Accept if and only if: z a = rx + s → z b = r ( x − f ) + t xC + c a = fG + z a H ( x − f ) C + c b = 0 G + z b H

-protocol for Pedersen Σ Commitment as 0 or 1 , proof C = mG + rH m ∈ {0,1} Alice sends c a = aG + sH c b = ( am ) G + tH f = mx + a z a = rx + s z b = r ( x − f ) + t ? Bob verifies: xC + c a = fG + z a H xC + c a = x ( mG + rH ) + ( aG + sH ) = xmG + aG + xrH + sH = ( xm + a ) G + ( xr + s ) H = fG + z a H

-protocol for Pedersen Σ Commitment as 0 or 1 , proof C = mG + rH m ∈ {0,1} Alice sends c a = aG + sH c b = ( am ) G + tH f = mx + a z a = rx + s z b = r ( x − f ) + t ? Bob verifies: xC + c a = fG + z a H • We do not make any assumption about a , s • xC + c a = ( mx + a ) G + (…) H • If , we know that xC + c a = fG + (…) H f = mx + a

-protocol for Pedersen Σ Commitment as 0 or 1 , proof C = mG + rH m ∈ {0,1} Alice sends c a = aG + sH c b = ( am ) G + tH f = mx + a z a = rx + s z b = r ( x − f ) + t ? ( x − f ) C + c b Bob verifies: = 0 G + z b H • now we test property via m (1 − m ) = 0 ( x − f ) C + c b = ( x − ( mx + a ) ) C + c b = ( x − ( mx + a ) ) ( mG + rH ) + c b

-protocol for Pedersen Σ Commitment as 0 or 1 , proof C = mG + rH m ∈ {0,1} ( x − f ) C + c b = ( x − ( mx + a ) ) C + c b = ( x − ( mx + a ) ) ( mG + rH ) + c b = ( x − ( mx + a ) ) mG + ( x − f ) rH + c b = ( xm − m 2 x − ma ) G + ( x − f ) rH + ( amG + tH ) = ( xm − m 2 x ) G + ( x − f ) rH + tH = xm (1 − m ) G + ( r ( x − f ) + t ) H ? = 0 G + z b H

-protocol for Pedersen Σ Commitment as 0 or 1 , proof C = mG + rH m ∈ {0,1} Alice sends c a = aG + sH c b = ( am ) G + tH f = mx + a z a = rx + s z b = r ( x − f ) + t ? ( x − f ) C + c b Bob verifies: = 0 G + z b H • now we test property via m (1 − m ) = 0 ( x − f ) C + c b = 0 G + (…) H

-protocol for Pedersen Σ Commitment as 0 or 1 , proof C = mG + rH m ∈ {0,1} Alice sends c a = aG + sH c b = ( am ) G + tH f = mx + a z a = rx + s z b = r ( x − f ) + t Bob verifies: • if ( x − f ) C + c b = 0 G + z b H and xC + c a = fG + z a H • then: and , regardless of f = mx + a xm (1 − m ) = 0 x • Thus we know that m ∈ {0,1}

-protocol for Pedersen Σ Commitment as 0 or 1 • Wy do we do this? • It is very very cool! • We can use this as building block for more complex proofs • 1-in-N -protocols Σ

1-in-N Protocol Σ− • Assume we have a set of Pedersen Commitments given • , { X 1 , X 2 , …, X n } • each has X i = m i G + r i H • amount m i • randomness as blinding value r i

1-in-N Protocol Σ− • Assume we have a set of Pedersen Commitments given • , each { X 1 , X 2 , …, X n } X i = m i G + r i H • Assume we know X t = m t G + r t H • We want to prove that we know one of the X i

1-in-N Protocol Σ− • Given: • , , { X 1 , X 2 , …, X n } X i = m i G + r i H X t = m t G + r t H • We want to prove that we know one of the X i • Publish related Pedersen Commitment Y = m t G + sH • Verifier subtracts from all Pedersen Commitments Y • Proof is now: 1 in is { X 1 − Y , X 2 − Y , …, X n − Y } 0 G + (…) H • Technial term: opens to 0

1-in-N Protocol Σ− • New Problem: • , , { Y 1 , Y 2 , …, Y n } Y i = m i G + s i H Y t = 0 G + s t H • We want to prove that one of the opens to 0 Y i

1-in-N Protocol Σ− • New Problem: • , , { Y 1 , Y 2 , …, Y n } Y i = m i G + s i H Y t = 0 G + s t H • We want to prove that one of the opens to 0 Y i • Idea: • show that opens to 0 c 1 Y 1 + c 2 Y 2 + … + c n Y n • show that each is either 0 or 1 c i ∑ c i • show that is 1

1-in-N Protocol Σ− • New Problem: • , , { Y 1 , Y 2 , …, Y n } Y i = m i G + s i H Y t = 0 G + s t H • given c 1 Y 1 + c 2 Y 2 + … + c n Y n • show that each is either 0 or 1 c i • if is a number, we reveal the secret c • if is a group element, we don’t know what means c c i Y i

1-in-N Protocol Σ− Alice sends c a = aG + sH c b = ( am ) G + tH f = mx + a z a = rx + s z b = r ( x − f ) + t Bob verifies: • if ( x − f ) C + c b = 0 G + z b H and xC + c a = fG + z a H • Look at previous proof: • then: and , regardless of f = mx + a xm (1 − m ) = 0 x • Thus we know that m ∈ {0,1} • consider f = mx + a • Contains the value m ∈ {0,1} • since is secret, knowing doesn’t reveal a , m f m

1-in-N Protocol Σ− • New Problem: • , , { Y 1 , Y 2 , …, Y n } Y i = m i G + s i H Y t = 0 G + s t H • given f 1 Y 1 + f 2 Y 2 + … + f n Y n • Conduct N parallel protocols for Σ f i = m i x i + a i • That gives a proof that m i ∈ {0,1}

1-in-N Protocol Σ− • New Problem: • , , { Y 1 , Y 2 , …, Y n } Y i = m i G + s i H Y t = 0 G + s t H • now we have f 1 Y 1 + f 2 Y 2 + … + f n Y n

1-in-N Protocol Σ− • New Problem: • , , { Y 1 , Y 2 , …, Y n } Y i = m i G + s i H Y t = 0 G + s t H • now we have f 1 Y 1 + f 2 Y 2 + … + f n Y n = ( m 1 x + a 1 ) Y 1 + ( m 2 x + a 2 ) Y 2 + … + ( m n x + a n ) Y n

1-in-N Protocol Σ− • New Problem: • , , { Y 1 , Y 2 , …, Y n } Y i = m i G + s i H Y t = 0 G + s t H • now we have f 1 Y 1 + f 2 Y 2 + … + f n Y n = ( m 1 x + a 1 ) Y 1 + ( m 2 x + a 2 ) Y 2 + … + ( m n x + a n ) Y n = m k xY k + ∑ a k Y k

1-in-N Protocol Σ− • New Problem: • , , { Y 1 , Y 2 , …, Y n } Y i = m i G + s i H Y t = 0 G + s t H • but now we have f 1 Y 1 + f 2 Y 2 + … + f n Y n = ( m 1 x + a 1 ) Y 1 + ( m 2 x + a 2 ) Y 2 + … + ( m n x + a n ) Y n = m k xY k + ∑ a k Y k Opens to 0 independent of x, can be send beforehand in a Pedersen Commitment