zero knowledge proofs ii zk snarks
play

Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019 Overview Recap - PowerPoint PPT Presentation

Jul 16, 2023 •2.47k likes •3.26k views

Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019 Overview Recap Lelantus One e ffi cient way to do 1-in-N proofs zk-SNARKs A general way to prove anything in Zero-Knowledge (if you dont know how to do it any other way, use

  1. Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019

  2. Overview • Recap Lelantus • One e ffi cient way to do 1-in-N proofs • zk-SNARKs • A general way to prove anything in Zero-Knowledge • (if you don’t know how to do it any other way, use zk-SNARKs)

  3. Used serial# e8fb04ab61cfdd9ab54d9b1 Lelantus ea6a1728b274a7e3c667523 cdcb04f2b45a6dd3c13e90c 050cf72a2c4ff1f4df4084a 5a35670340e4107632e4629 f59cc4cef45a8063e4afb65 2d28e9bb87f78a5c0b6b008 1c4433bd43daafa3806759b 4f587540daa9bcb002b3699 … hidden coins (Pedersen Commitments) JoinSplit Mint Spend Plaintext coins

  4. Lelantus Mint Proof: Pedersen Commitment valid hidden coins (Pedersen Commitments) Mint Plaintext coins

  5. Used serial# Lelantus e8fb04ab61cfdd9ab54d9b1 ea6a1728b274a7e3c667523 cdcb04f2b45a6dd3c13e90c Spend 050cf72a2c4ff1f4df4084a 5a35670340e4107632e4629 f59cc4cef45a8063e4afb65 2d28e9bb87f78a5c0b6b008 1c4433bd43daafa3806759b 4f587540daa9bcb002b3699 73f143adf73708de491ff9d hidden coins (Pedersen Commitments) … Spend Proof: Serial number amount Plaintext coins

  6. Used serial# Lelantus e8fb04ab61cfdd9ab54d9b1 ea6a1728b274a7e3c667523 cdcb04f2b45a6dd3c13e90c JoinSplit 050cf72a2c4ff1f4df4084a 5a35670340e4107632e4629 f59cc4cef45a8063e4afb65 2d28e9bb87f78a5c0b6b008 1c4433bd43daafa3806759b 4f587540daa9bcb002b3699 … hidden coins (Pedersen Commitments) JoinSplit

  7. Used serial# Lelantus e8fb04ab61cfdd9ab54d9b1 ea6a1728b274a7e3c667523 cdcb04f2b45a6dd3c13e90c JoinSplit 050cf72a2c4ff1f4df4084a 5a35670340e4107632e4629 f59cc4cef45a8063e4afb65 2d28e9bb87f78a5c0b6b008 1c4433bd43daafa3806759b 4f587540daa9bcb002b3699 a6e434bb929b8c4d9adf1fb … hidden coins (Pedersen Commitments) 1-in-N Input1

  8. Used serial# Lelantus e8fb04ab61cfdd9ab54d9b1 ea6a1728b274a7e3c667523 cdcb04f2b45a6dd3c13e90c JoinSplit 050cf72a2c4ff1f4df4084a 5a35670340e4107632e4629 f59cc4cef45a8063e4afb65 2d28e9bb87f78a5c0b6b008 1c4433bd43daafa3806759b 4f587540daa9bcb002b3699 a6e434bb929b8c4d9adf1fb 73f143adf73708de491ff9d hidden coins (Pedersen Commitments) … 1-in-N Input1 + Input2

  9. Used serial# Lelantus e8fb04ab61cfdd9ab54d9b1 ea6a1728b274a7e3c667523 cdcb04f2b45a6dd3c13e90c JoinSplit 050cf72a2c4ff1f4df4084a 5a35670340e4107632e4629 f59cc4cef45a8063e4afb65 2d28e9bb87f78a5c0b6b008 1c4433bd43daafa3806759b 4f587540daa9bcb002b3699 a6e434bb929b8c4d9adf1fb 73f143adf73708de491ff9d hidden coins (Pedersen Commitments) 95b96411c8dc99f6be2b443 … 1-in-N Input1 + Input2 + Input3

  10. Used serial# Lelantus e8fb04ab61cfdd9ab54d9b1 ea6a1728b274a7e3c667523 cdcb04f2b45a6dd3c13e90c JoinSplit 050cf72a2c4ff1f4df4084a 5a35670340e4107632e4629 f59cc4cef45a8063e4afb65 2d28e9bb87f78a5c0b6b008 1c4433bd43daafa3806759b 4f587540daa9bcb002b3699 a6e434bb929b8c4d9adf1fb 73f143adf73708de491ff9d hidden coins (Pedersen Commitments) 95b96411c8dc99f6be2b443 … Proof: valid Pedersen Commitment Input1 + Input2 + Input3 + Output1

  11. Used serial# Lelantus e8fb04ab61cfdd9ab54d9b1 ea6a1728b274a7e3c667523 cdcb04f2b45a6dd3c13e90c JoinSplit 050cf72a2c4ff1f4df4084a 5a35670340e4107632e4629 f59cc4cef45a8063e4afb65 2d28e9bb87f78a5c0b6b008 1c4433bd43daafa3806759b 4f587540daa9bcb002b3699 a6e434bb929b8c4d9adf1fb 73f143adf73708de491ff9d hidden coins (Pedersen Commitments) 95b96411c8dc99f6be2b443 … Proof: valid Pedersen Commitment Input1 + Input2 + Input3 + Output1 + Output2

  12. Used serial# Lelantus e8fb04ab61cfdd9ab54d9b1 ea6a1728b274a7e3c667523 cdcb04f2b45a6dd3c13e90c JoinSplit 050cf72a2c4ff1f4df4084a 5a35670340e4107632e4629 f59cc4cef45a8063e4afb65 2d28e9bb87f78a5c0b6b008 1c4433bd43daafa3806759b 4f587540daa9bcb002b3699 a6e434bb929b8c4d9adf1fb 73f143adf73708de491ff9d hidden coins (Pedersen Commitments) 95b96411c8dc99f6be2b443 … Input1 + Input2 + Input3 + Output1 + Output2 + ExtraCashOut

  13. Used serial# Lelantus e8fb04ab61cfdd9ab54d9b1 ea6a1728b274a7e3c667523 cdcb04f2b45a6dd3c13e90c JoinSplit 050cf72a2c4ff1f4df4084a 5a35670340e4107632e4629 f59cc4cef45a8063e4afb65 2d28e9bb87f78a5c0b6b008 1c4433bd43daafa3806759b 4f587540daa9bcb002b3699 a6e434bb929b8c4d9adf1fb 73f143adf73708de491ff9d hidden coins (Pedersen Commitments) 95b96411c8dc99f6be2b443 … Proof of valid transaction: ( c , d , α ) Input1 + Input2 + Input3 + Output1 + Output2 + ExtraCashOut=T If , then T can be described as a factor of only and : c = ℋ ( T | cT + dH + α F ) H F • does not have any components = no money was created or destroyed G

  14. Anonymous Cryptocurrencies 1-in-N proofs Pedersen Commitments 1-in-N proofs 1-in-N proofs

  15. zk-SNARKs Zero-Knowledge Succinct Non-Interactive Argument of Knowledge

  16. zk-SNARK • A general purpose zero-knowledge tool for any computation • Need to prove that you know the pre-image of a hash • => zk-SNARK • Need to build a secret cryptocurrency (e.g. Zerocoin) • => zk-SNARK • Need to prove that you know XYZ? • => zk-SNARK

  17. zk-SNARK • A general purpose zero-knowledge tool for any computation • Very useful, highly relevant, but quite complicated • We will give a high-level overview of how this works • a complete discussion could be an entire semester

  18. zk-SNARK • Perform the computation storing any intermediate value • All values of all variables, called the witness • We encode the witness as a polynomial function w ( x ) • We show that can divide , the constraint polynomial w ( x ) c ( x ) • Only if is the witness valid a ( x ) ⋅ w ( x ) = c ( x ) • If the witness is valid, the program was executed correctly

  19. zk-SNARK • The trick is showing a ( x ) ⋅ w ( x ) = c ( x ) • We show at a secret position a ( x ) ⋅ w ( x ) − c ( x ) = 0 x • Encode polynomials and position via ECC a , w , c x

  20. zk-SNARK • Alice wants to convince Bob that she executed a program • Alice creates the witness w ( x ) • Bob choses a position and verifies x eval a ( x eval ) − w ( x eval ) − c ( x eval ) = 0

  21. Evaluating two polynomials at a random position is enough to check for equality

  22. All that’s left to do • Represent the proof of executing a program as a proof that I know a divisor of a polynomial • Encode the proof in ECC w ( x ) a ( x ) = c ( x )

  23. Proof of Knowledge of Division • Points can be added and multiplied • given 3 points , I can A = aG , B = bB , C = cG , D = dG ax 3 + bx 2 + cx + d encode the polynomial x 3 A + x 2 B + xC + D • The details on how to do the polynomial checks are beyond the scope of today’s lecture

  24. Proof of execution • Computers run on hardware • Theoretically, we can simulate any program with looking at the binary circuits 1. Represent the computation as a binary circuit • Or algebraic circuit for pure math problems 2. Reduction to a Rank 1 Constraint System (R1CS) 3. Representation as a Quadratic Assignment Problem (QAP)

  25. Program Representation • Assume we want to prove that we know a value so that x x 4 + x + 2 = 86 (hint ) x = 3 • Other applications: • I know a value so that (proof of ℋ ( x ) = 23 d 23 e 1… x knowledge of preimage) • A secret blockchain: I know a transaction so that T • is the blockchain T • I know the private key/serial# of T • The output is not yet spend

  26. Flattening the computation x 4 + x + 2 = 86 Proof: We know so that (hint ) x x = 3 • We can verify all basic operations (+,-,*,assignment) • We need to represent the computation as a sequence of basic steps (possibly introducing temporary variables) + 1. a = x ⋅ x + 2. b = a ⋅ a × 3. c = b + x 4. out = c + 2 × × x x x 2 x x

  27. Flattening the computation x 4 + x + 2 = 86 Proof: We know so that (hint ) x x = 3 1. a = x ⋅ x operator 2. b = a ⋅ a R = O L ( ) ⋅ , + , − 3. c = b + x 4. out = c + 2 List of all variables: 1, x , a , b , c , out instead of as 1 2 basic unit for all constants

  28. Each operation as vector List of all variables: operator = L R O ( ) 1, x , a , b , c , out ⋅ , + , − We can generalize all operations using 3 vectors: . . . 1 1 1 . . . x x x = . . . a ⋅ a ⨂ ⨂ a ⨂ . . . b b b . . . c c c . . . out out out

  29. Each operation as vector List of all variables: operator = L R O ( ) 1, x , a , b , c , out ⋅ , + , − We can generalize all operations using 3 vectors: Multiplication: (Example ) a = x ⋅ x 0 0 0 1 1 1 1 0 1 x x x = 0 1 0 a ⋅ a ⨂ ⨂ a ⨂ 0 0 0 b b b 0 0 0 c c c 0 0 0 out out out 1 ⋅ x 1 ⋅ x ⋅ = a ⋅ 1

  30. Each operation as vector List of all variables: operator = L R O ( ) 1, x , a , b , c , out ⋅ , + , − We can generalize all operations using 3 vectors: Addition: (Example ) b = x + 7 7 0 1 1 1 1 1 0 0 x x x = 0 0 0 a ⋅ a ⨂ ⨂ a ⨂ 0 1 0 b b b 0 0 0 c c c 0 0 0 out out out (1 ⋅ 7) + ( x ⋅ 1) 1 ⋅ 1 ⋅ = b ⋅ 1

  31. Each operation as vector x 4 + x + 2 = 86 Proof: We know so that (hint ) x x = 3 1. a = x ⋅ x 2. b = a ⋅ a 3. 0 c = b + x 1 0 1 0 1 0 1 1 4. out = c + 2 x x x 1 0 0 a a a ⋅ = operator 0 0 0 b b b = L R O ( ) ⋅ , + , − 0 0 0 c c c 0 0 0 out out out List of all variables: 1, x , a , b , c , out

Recommend

Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs

Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs

Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs Flattening the computation x 4 + x + 2 = 86 Proof: We know so that (hint ) x x = 3 We can verify all basic operations (+,-,*,assignment) We

1.28k views • 62 slides
References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge https://en.wikipedia.org/wiki/Zero-knowledge_proof Protocols Zero Knowledge Proofs: An Illustrated Primer by M. Green. Part I: https://blog.cryptographyengineering.com/2014/11/27/ Jim

389 views • 18 slides
zk-SNARKs Panagiotis Grontas NTUA-advTCS 01/06/2017 1 / 68 (NTUA-advTCS) zk-SNARKs

zk-SNARKs Panagiotis Grontas NTUA-advTCS 01/06/2017 1 / 68 (NTUA-advTCS) zk-SNARKs

Introduction Prerequisites The Proof Applications References zk-SNARKs Panagiotis Grontas NTUA-advTCS 01/06/2017 1 / 68 (NTUA-advTCS) zk-SNARKs Introduction Effjciently verify the correctness of computations without executing

1.06k views • 68 slides
Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner TA: Malvin Gattinger October 22, 2014 1 / 27 Introduction Zero-knowledge proofs are proofs that yield nothing beyond the validity of the

415 views • 27 slides
Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive Proofs 2 Interactive Proofs Prover wants to convince verifier that x has some property 2 Interactive Proofs Prover wants to convince verifier

1.9k views • 174 slides
Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a property about an element without revealing Lelantus ZCoins Zero-Knowledge protocol Prove that transactions are valid, without revealing

1.37k views • 72 slides
Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien Canard (1) , David Pointcheval (2) and Olivier Sanders (1 , 2) S (1) Orange Labs, Caen, France (2) Ecole Normale Sup erieure, Paris,

556 views • 31 slides
Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge Iftach Haitner, Tel Aviv University December 4, 2011 IP for GNI Part I Interactive Proofs IP for GNI Interactive Vs. Interactive Proofs Definition 1 (

1.51k views • 110 slides
On the Security and Privacy of delegated computation Anca Nitulescu DI ENS - Cascade Outline

On the Security and Privacy of delegated computation Anca Nitulescu DI ENS - Cascade Outline

On the Security and Privacy of delegated computation Anca Nitulescu DI ENS - Cascade Outline Directions SNARKs Motivation Introduction Quantum SNARKs Arguments of Difficulties Knowledge Cloud Applications Computation SNARK Open

746 views • 61 slides
Some Recent SNARKs Saba Eskandarian Qualifying Exam Talk Come, listen, my men, while I tell

Some Recent SNARKs Saba Eskandarian Qualifying Exam Talk Come, listen, my men, while I tell

Some Recent SNARKs Saba Eskandarian Qualifying Exam Talk Come, listen, my men, while I tell you again What is a zk-SNARK? The five unmistakable marks By which you may know, wheresoever you go, Z ero- K nowledge The warranted genuine Snarks.

1.31k views • 103 slides
Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos, Geoffroy Couteau 1 /11 Zero-Knowledge Proof prover verifier Complete: if P knows a solution, V accepts Sound: if there is no solution, P

1.25k views • 27 slides
Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle,

Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle,

Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle, Andrea Cerulli, Jens Groth, Sune Jakobsen, Mary Maller Zero-Knowledge Proofs for Statement Correct Program Execution Witness Prover Verifier

332 views • 32 slides
Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs Prover wants to convince verifier that x has some property Interactive Proofs Prover wants to convince verifier that x has some property i.e. x is in

3.29k views • 145 slides
Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne Broadbent (U. of Ottawa) arxiv:1911.07782 Quantum found. QZK Crypto TCS 2 / 19 Interactive proofs 3 / 19 Interactive proofs L NP P V 0

1.06k views • 89 slides
One-Shot Verifiable Encryption from Lattices Vadim Lyubashevsky and Gregory Neven IBM Research

One-Shot Verifiable Encryption from Lattices Vadim Lyubashevsky and Gregory Neven IBM Research

One-Shot Verifiable Encryption from Lattices Vadim Lyubashevsky and Gregory Neven IBM Research -- Zurich Zero-Knowledge Proofs Zero-Knowledge Proofs Relation f(s)=t, and want to prove knowledge of s Zero-Knowledge Proofs Relation f(s)=t, and

1.04k views • 72 slides
On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek

On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek

On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018 Round-Complexity of ZK-Proofs for NP 2 Round-Complexity of ZK-Proofs for NP 2 Round-Complexity of ZK-Proofs for NP

835 views • 56 slides
Zero Knowledge Proofs Muthuramakrishnan Venkitasubramaniam An example An example I (re)solved

Zero Knowledge Proofs Muthuramakrishnan Venkitasubramaniam An example An example I (re)solved

Zero Knowledge Proofs Muthuramakrishnan Venkitasubramaniam An example An example I (re)solved P vs NP? S I How? Here is the proof Can I convince someone the validity of something Clay without revealing the proof? Institute

619 views • 46 slides
Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang

Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang

Indistinguishable Proofs of Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang ASIACRYPT 2016 8th December, Hanoi, Vietnam Motivation (ZK) Proofs of Knowledge - PoK Statement: Prover

984 views • 79 slides
Towards Interactive Belief, Knowledge & Provability: Possible Application to Zero-Knowledge

Towards Interactive Belief, Knowledge & Provability: Possible Application to Zero-Knowledge

Computer Laboratory Security Seminar Cambridge University Towards Interactive Belief, Knowledge & Provability: Possible Application to Zero-Knowledge Proofs Ph.D. Thesis Chapter 5 Simon Kramer December 18, 2007 Target audience:

496 views • 16 slides
Zero Knowledge Proofs Lecture 21 DNSSEC Recall: Name servers, when queried with a domain name,

Zero Knowledge Proofs Lecture 21 DNSSEC Recall: Name servers, when queried with a domain name,

Zero Knowledge Proofs Lecture 21 DNSSEC Recall: Name servers, when queried with a domain name, return an IP address record (signed by the zone owner), or report that no such domain name exists Question: How to prove that an entry is missing,

506 views • 14 slides
Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack Ronald Cramer (CWI) Ivan Damgrd (AU) Chaoping Xing (NTU) ChenYuan (NTU) Eprint 2016/681 Integer One-Way Function (iOWF) maps integers to finite

582 views • 32 slides
Ze Zero-Kn Knowledge Pr Proofs on on Se Secr cret-Sh Shared Data ta via via Fully Lin

Ze Zero-Kn Knowledge Pr Proofs on on Se Secr cret-Sh Shared Data ta via via Fully Lin

Ze Zero-Kn Knowledge Pr Proofs on on Se Secr cret-Sh Shared Data ta via via Fully Lin inear ear PCPs PCPs Dan Boneh Elette Boyle Henry Corrigan-Gibbs Niv Gilboa Yuval Ishai Ben-Gurion Stanford IDC Herzliya Stanford Technion

1.2k views • 67 slides
LegoSNARK Modular Design and Composition of Succinct Zero-Knowledge Proofs Matteo Campanelli,

LegoSNARK Modular Design and Composition of Succinct Zero-Knowledge Proofs Matteo Campanelli,

LegoSNARK Modular Design and Composition of Succinct Zero-Knowledge Proofs Matteo Campanelli, Dario Fiore , Anas Querol IMDEA Software Institute, Spain 2nd ZKProof Workshop April 10, 2019 zkSNARKs focus of this work from theoretical

535 views • 26 slides
Lecture 18: Zero-Knowledge Proofs Instructor: Omkant Pandey Spring 2017 (CSE 594) Instructor:

Lecture 18: Zero-Knowledge Proofs Instructor: Omkant Pandey Spring 2017 (CSE 594) Instructor:

Lecture 18: Zero-Knowledge Proofs Instructor: Omkant Pandey Spring 2017 (CSE 594) Instructor: Omkant Pandey Lecture 18: Zero-Knowledge Proofs Spring 2017 (CSE 594) 1 / 23 What is a Proof? An argument (or sufficient evidence) that can

386 views • 23 slides

More recommend