zero knowledge proofs
play

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive - PowerPoint PPT Presentation

May 20, 2023 •1.79k likes •3.29k views

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs Prover wants to convince verifier that x has some property Interactive Proofs Prover wants to convince verifier that x has some property i.e. x is in

  1. An Example Graph Isomorphism (G 0 ,G 1 ) in L iff there exists an isomorphism σ such that σ (G 0 )=G 1 G* := π (G 1 ) (random π ) IP protocol: send σ ZK protocol?

  2. An Example Graph Isomorphism (G 0 ,G 1 ) in L iff there exists G* an isomorphism σ such that σ (G 0 )=G 1 G* := π (G 1 ) (random π ) IP protocol: send σ ZK protocol?

  3. An Example Graph Isomorphism (G 0 ,G 1 ) in L iff there exists G* an isomorphism σ such that σ (G 0 )=G 1 G* := π (G 1 ) (random π ) IP protocol: send σ random bit b ZK protocol?

  4. An Example Graph Isomorphism (G 0 ,G 1 ) in L iff there exists G* an isomorphism σ such that σ (G 0 )=G 1 G* := π (G 1 ) (random π ) b IP protocol: send σ random bit b ZK protocol?

  5. An Example Graph Isomorphism (G 0 ,G 1 ) in L iff there exists G* an isomorphism σ such that σ (G 0 )=G 1 G* := π (G 1 ) (random π ) b IP protocol: send σ random bit b if b=1, π * := π ZK protocol? if b=0, π * := π o σ

  6. An Example Graph Isomorphism (G 0 ,G 1 ) in L iff there exists G* an isomorphism σ such that σ (G 0 )=G 1 G* := π (G 1 ) (random π ) b IP protocol: send σ random bit b if b=1, π * := π ZK protocol? if b=0, π * := π o σ π *

  7. An Example Graph Isomorphism (G 0 ,G 1 ) in L iff there exists G* an isomorphism σ such that σ (G 0 )=G 1 G* := π (G 1 ) (random π ) b IP protocol: send σ random bit b if b=1, π * := π ZK protocol? if b=0, π * := π o σ G*= π *(G b )? π *

  8. An Example G* G* := π (G 1 ) (random π ) b random bit b if b=1, π * := π if b=0, π * := π o σ G*= π *(G b )? π *

  9. An Example Why is this convincing? G* G* := π (G 1 ) (random π ) b random bit b if b=1, π * := π if b=0, π * := π o σ G*= π *(G b )? π *

  10. An Example Why is this convincing? If prover can answer both b’s for the same G* then G 0 ~G 1 G* G* := π (G 1 ) (random π ) b random bit b if b=1, π * := π if b=0, π * := π o σ G*= π *(G b )? π *

  11. An Example Why is this convincing? If prover can answer both b’s for the same G* then G 0 ~G 1 G* Otherwise, testing on a random b will leave prover stuck w.p. 1/2 G* := π (G 1 ) (random π ) b random bit b if b=1, π * := π if b=0, π * := π o σ G*= π *(G b )? π *

  12. An Example Why is this convincing? If prover can answer both b’s for the same G* then G 0 ~G 1 G* Otherwise, testing on a random b will leave prover stuck w.p. 1/2 G* := π (G 1 ) Why ZK? (random π ) b random bit b if b=1, π * := π if b=0, π * := π o σ G*= π *(G b )? π *

  13. An Example Why is this convincing? If prover can answer both b’s for the same G* then G 0 ~G 1 G* Otherwise, testing on a random b will leave prover stuck w.p. 1/2 G* := π (G 1 ) Why ZK? (random π ) b random bit Verifier’s view: random b b and π * s.t. G*= π *(G b ) if b=1, π * := π if b=0, π * := π o σ G*= π *(G b )? π *

  14. An Example Why is this convincing? If prover can answer both b’s for the same G* then G 0 ~G 1 G* Otherwise, testing on a random b will leave prover stuck w.p. 1/2 G* := π (G 1 ) Why ZK? (random π ) b random bit Verifier’s view: random b b and π * s.t. G*= π *(G b ) if b=1, π * := π if b=0, π * := π o σ Which he could have G*= π *(G b )? generated by himself (whether G 0 ~G 1 or not) π *

  15. Zero-Knowledge Proofs

  16. Zero-Knowledge Proofs Interactive Proof

  17. Zero-Knowledge Proofs Interactive Proof Complete and Sound

  18. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property:

  19. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property:

  20. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property:

  21. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property: Ah, got it! 42

  22. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property: Ah, got it! 42

  23. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property: Verifier’s view could have been “simulated” Ah, got it! 42

  24. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property: Verifier’s view could have been “simulated” Ah, got it! 42

  25. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property: Verifier’s view could have been “simulated” Ah, got it! 42

  26. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property: Verifier’s view could have been “simulated” L n i x Ah, got it! 42

  27. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property: Ah, got it! Verifier’s view could 42 have been “simulated” L n i x Ah, got it! 42

  28. Zero-Knowledge Proofs Interactive Proof Complete and Sound ZK Property: Ah, got it! Verifier’s view could 42 have been “simulated” L For every adversarial n i x Ah, got it! strategy, there exists 42 a simulation strategy

  29. ZK Property (in other pict’ s) x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL

  30. ZK Property (in other pict’ s) x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL

  31. ZK Property (in other pict’ s) x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL

  32. ZK Property (in other pict’ s) Classical definition uses simulation only for corrupt receiver; x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL

  33. ZK Property (in other pict’ s) Classical definition uses simulation only for corrupt receiver; and uses only standalone security: Environment gets only a transcript at the end x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL

  34. SIM ZK x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL

  35. SIM ZK • SIM-ZK would require simulation also when prover is corrupt x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL

  36. SIM ZK • SIM-ZK would require simulation also when prover is corrupt • Then simulator is a witness extractor x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL

  37. SIM ZK • SIM-ZK would require simulation also when prover is corrupt • Then simulator is a witness extractor • Adding this (in standalone setting) makes it a Proof of Knowledge x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL

  38. Results

  39. Results IP and ZK defined [GMR’85]

  40. Results IP and ZK defined [GMR’85] ZK for all NP languages [GMW’86]

  41. Results IP and ZK defined [GMR’85] ZK for all NP languages [GMW’86] Assuming one-way functions exist

Recommend

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge

References Zero Knowledge Proofs on Wikipedia, Zero Knowledge https://en.wikipedia.org/wiki/Zero-knowledge_proof Protocols Zero Knowledge Proofs: An Illustrated Primer by M. Green. Part I: https://blog.cryptographyengineering.com/2014/11/27/ Jim

389 views • 18 slides
Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner

Zero-Knowledge Proofs Joost van Amersfoort University of Amsterdam Teacher: Christian Schaffner TA: Malvin Gattinger October 22, 2014 1 / 27 Introduction Zero-knowledge proofs are proofs that yield nothing beyond the validity of the

415 views • 27 slides
Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive Proofs 2 Interactive Proofs Prover wants to convince verifier that x has some property 2 Interactive Proofs Prover wants to convince verifier

1.9k views • 174 slides
Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a

Zero-Knowledge Proofs I Lelantus Oct. 16, 2019 Overview Zero-Knowledge Proving a property about an element without revealing Lelantus ZCoins Zero-Knowledge protocol Prove that transactions are valid, without revealing

1.37k views • 72 slides
Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien

Efficient Delegation of Zero-Knowledge Proofs of Knowledge in a Pairing-Friendly Setting ebastien Canard (1) , David Pointcheval (2) and Olivier Sanders (1 , 2) S (1) Orange Labs, Caen, France (2) Ecole Normale Sup erieure, Paris,

556 views • 31 slides
Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge

Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive Proofs and Zero Knowledge Iftach Haitner, Tel Aviv University December 4, 2011 IP for GNI Part I Interactive Proofs IP for GNI Interactive Vs. Interactive Proofs Definition 1 (

1.51k views • 110 slides
Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos,

Efficient Designated-Verifier Non- Interactive Zero-Knowledge Proofs of Knowledge Pyrros Chaidos, Geoffroy Couteau 1 /11 Zero-Knowledge Proof prover verifier Complete: if P knows a solution, V accepts Sound: if there is no solution, P

1.25k views • 27 slides
Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle,

Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle,

Arya: Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution Jonathan Bootle, Andrea Cerulli, Jens Groth, Sune Jakobsen, Mary Maller Zero-Knowledge Proofs for Statement Correct Program Execution Witness Prover Verifier

332 views • 32 slides
Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019 Overview Recap Lelantus One e ffi cient

Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019 Overview Recap Lelantus One e ffi cient

Zero-Knowledge Proofs II zk-SNARKs Oct. 21, 2019 Overview Recap Lelantus One e ffi cient way to do 1-in-N proofs zk-SNARKs A general way to prove anything in Zero-Knowledge (if you dont know how to do it any other way, use

3.26k views • 68 slides
Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne Broadbent (U. of Ottawa) arxiv:1911.07782 Quantum found. QZK Crypto TCS 2 / 19 Interactive proofs 3 / 19 Interactive proofs L NP P V 0

1.06k views • 89 slides
One-Shot Verifiable Encryption from Lattices Vadim Lyubashevsky and Gregory Neven IBM Research

One-Shot Verifiable Encryption from Lattices Vadim Lyubashevsky and Gregory Neven IBM Research

One-Shot Verifiable Encryption from Lattices Vadim Lyubashevsky and Gregory Neven IBM Research -- Zurich Zero-Knowledge Proofs Zero-Knowledge Proofs Relation f(s)=t, and want to prove knowledge of s Zero-Knowledge Proofs Relation f(s)=t, and

1.04k views • 72 slides
On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek

On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek

On the Existence of Three Round Zero-Knowledge Proofs Nils Fleischhacker, Vipul Goyal, Abhishek Jain Tel Aviv, May 2, 2018 Round-Complexity of ZK-Proofs for NP 2 Round-Complexity of ZK-Proofs for NP 2 Round-Complexity of ZK-Proofs for NP

835 views • 56 slides
Zero Knowledge Proofs Muthuramakrishnan Venkitasubramaniam An example An example I (re)solved

Zero Knowledge Proofs Muthuramakrishnan Venkitasubramaniam An example An example I (re)solved

Zero Knowledge Proofs Muthuramakrishnan Venkitasubramaniam An example An example I (re)solved P vs NP? S I How? Here is the proof Can I convince someone the validity of something Clay without revealing the proof? Institute

619 views • 46 slides
Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs

Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs

Zero-Knowledge Proofs III Beyond zk-SNARKs & Accumulators Oct. 23, 2019 Recap zk-SNARKs Flattening the computation x 4 + x + 2 = 86 Proof: We know so that (hint ) x x = 3 We can verify all basic operations (+,-,*,assignment) We

1.28k views • 62 slides
Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang

Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang

Indistinguishable Proofs of Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang ASIACRYPT 2016 8th December, Hanoi, Vietnam Motivation (ZK) Proofs of Knowledge - PoK Statement: Prover

984 views • 79 slides
Towards Interactive Belief, Knowledge & Provability: Possible Application to Zero-Knowledge

Towards Interactive Belief, Knowledge & Provability: Possible Application to Zero-Knowledge

Computer Laboratory Security Seminar Cambridge University Towards Interactive Belief, Knowledge & Provability: Possible Application to Zero-Knowledge Proofs Ph.D. Thesis Chapter 5 Simon Kramer December 18, 2007 Target audience:

496 views • 16 slides
Zero Knowledge Proofs Lecture 21 DNSSEC Recall: Name servers, when queried with a domain name,

Zero Knowledge Proofs Lecture 21 DNSSEC Recall: Name servers, when queried with a domain name,

Zero Knowledge Proofs Lecture 21 DNSSEC Recall: Name servers, when queried with a domain name, return an IP address record (signed by the zone owner), or report that no such domain name exists Question: How to prove that an entry is missing,

506 views • 14 slides
Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack Ronald Cramer (CWI) Ivan Damgrd (AU) Chaoping Xing (NTU) ChenYuan (NTU) Eprint 2016/681 Integer One-Way Function (iOWF) maps integers to finite

582 views • 32 slides
Ze Zero-Kn Knowledge Pr Proofs on on Se Secr cret-Sh Shared Data ta via via Fully Lin

Ze Zero-Kn Knowledge Pr Proofs on on Se Secr cret-Sh Shared Data ta via via Fully Lin

Ze Zero-Kn Knowledge Pr Proofs on on Se Secr cret-Sh Shared Data ta via via Fully Lin inear ear PCPs PCPs Dan Boneh Elette Boyle Henry Corrigan-Gibbs Niv Gilboa Yuval Ishai Ben-Gurion Stanford IDC Herzliya Stanford Technion

1.2k views • 67 slides
LegoSNARK Modular Design and Composition of Succinct Zero-Knowledge Proofs Matteo Campanelli,

LegoSNARK Modular Design and Composition of Succinct Zero-Knowledge Proofs Matteo Campanelli,

LegoSNARK Modular Design and Composition of Succinct Zero-Knowledge Proofs Matteo Campanelli, Dario Fiore , Anas Querol IMDEA Software Institute, Spain 2nd ZKProof Workshop April 10, 2019 zkSNARKs focus of this work from theoretical

535 views • 26 slides
Lecture 18: Zero-Knowledge Proofs Instructor: Omkant Pandey Spring 2017 (CSE 594) Instructor:

Lecture 18: Zero-Knowledge Proofs Instructor: Omkant Pandey Spring 2017 (CSE 594) Instructor:

Lecture 18: Zero-Knowledge Proofs Instructor: Omkant Pandey Spring 2017 (CSE 594) Instructor: Omkant Pandey Lecture 18: Zero-Knowledge Proofs Spring 2017 (CSE 594) 1 / 23 What is a Proof? An argument (or sufficient evidence) that can

386 views • 23 slides
Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler , Sebastian Ramacher , Daniel Slamanig PQC rypto 18, April 9, 2018 1 Ring Signatures P

612 views • 27 slides
Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic

Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic

Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic complexity classes and Interactive proofs Graph isomorphism and PCP Some zero knowledge protocols: Feige-Fiat-Shamir authentication protocol

170 views • 16 slides
Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University

Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University

Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University @claudiorlandi Based on joint work with: Meliisa Chase (Microsoft) David Derler (TU Graz) Tore Frederiksen (BIU) Irene Giacomelli

1.21k views • 77 slides

More recommend