Zero Knowledge Succinct Noninteractive ARguments of Knowledge - PowerPoint PPT Presentation

Zero Knowledge Succinct Noninteractive ARguments of Knowledge Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay October 15, 2019 1 / 24

zkSNARKs • Arguments • ZK proofs where soundness guarantee is required only against PPT provers • Noninteractive • Proof consists of a single message from prover to verifier • Succinct • Proof size is O ( 1 ) • Requires a trusted setup to generate a common reference string • CRS size is linear in size of assertion being proved 2 / 24

Bilinear Pairings • Let G and G T be two cyclic groups of prime order p • In practice, G is an elliptic curve group and G T is subgroup of F ∗ r n where r is a prime • Let G = � g � , i.e. G = { g α | α ∈ Z p } • A symmetric pairing is a efficient map e : G × G �→ G T satisfying 1. Bilinearity : ∀ α, β ∈ Z p , we have e ( g α , g β ) = e ( g , g ) αβ 2. Non-degeneracy : e ( g , g ) is not the identity in G T • Finding discrete logs is assumed to be difficult in both groups • Pairings enable multiplication of secrets 3 / 24

Computational Diffie-Hellman Problem • The CDH experiment CDH A , G ( n ) : 1. Run G ( 1 n ) to obtain ( G , q , g ) where G is a cyclic group of order q (with � q � = n ), and a generator g ∈ G . 2. Choose a uniform x 1 , x 2 ∈ Z q and compute h 1 = g x 1 , h 2 = g x 2 . 3. A is given G , q , g , h 1 , h 2 and it outputs h ∈ Z q . 4. Experiment output is 1 if h = g x 1 · x 2 and 0 otherwise. • Definition: We say that the CDH problem is hard relative to G if for every PPT adversary A there is a negligible function negl such that Pr [ CDH A , G ( n ) = 1 ] ≤ negl ( n ) . 4 / 24

Decisional Diffie-Hellman Problem • The DDH experiment DDH A , G ( n ) : 1. Run G ( 1 n ) to obtain ( G , q , g ) where G is a cyclic group of order q (with � q � = n ), and a generator g ∈ G . 2. Choose a uniform x , y , z ∈ Z q and compute u = g x , v = g y $ − { 0 , 1 } and compute w = g bz +( 1 − b ) xy 3. Choose a bit b ← 4. Give the triple u , v , w to the adversary A 5. A outputs a bit b ′ = A ( G , q , g , u , v , w ) • Definition: We say that the DDH problem is hard relative to G if for all PPT adversaries A there is a negligible function negl such that � G , q , g , g x , g y , g z � G , q , g , g x , g y , g xy � �� � ≤ negl ( n ) � � � � � � Pr A = 1 − Pr A = 1 • If G has a pairing, then DDH problem is easy in G 5 / 24

Some Exercises on Pairings • A symmetric pairing is a efficient map e : G × G �→ G T ⊂ F ∗ r n satisfying 1. Bilinearity : ∀ α, β ∈ Z p , we have e ( g α , g β ) = e ( g , g ) αβ 2. Non-degeneracy : e ( g , g ) is not the identity in G T • Reduce the following expressions • e ( g a , g ) e g , g b � � • e ( g , g a ) e g b , g � � g a , g − b � e ( u , v ) e ( g , g ) c � • e • � m i = 1 e ( g , g a i ) b i • Show that if e ( u , v ) = 1 then u = 1 or v = 1 6 / 24

Applications of Pairings • Three-party Diffie Hellman key agreement • Three parties Alice, Bob, Carol have private-public key pairs ( a , g a ) , ( b , g b ) , ( c , g c ) where G = � g � • Alice sends g a to the other two • Bob sends g b to the other two • Carol sends g c to the other two • Each party can compute common key K = e ( g , g ) abc = e ( g b , g c ) a = e ( g a , g c ) b = e ( g a , g b ) c • BLS Signature Scheme • Suppose H : { 0 , 1 } ∗ �→ G is a hash function • Let ( x , g x ) be a private-public key pair • BLS signature on message m is σ = ( H ( m )) x • Verifier checks that e ( g , σ ) = e ( g x , H ( m )) 7 / 24

Knowledge of Exponent Assumptions • Knowledge of Exponent Assumption (KEA) • Let G be a cyclic group of prime order p with generator g and let α ∈ Z p • Given g , g α , suppose a PPT adversary can output c , ˆ c such that c = c α ˆ • The only way he can do so is by choosing some β ∈ Z p and setting c = g β and ˆ c = ( g α ) β • q -Power Knowledge of Exponent ( q -PKE) Assumption • Let G be a cyclic group of prime order p with a pairing e : G × G �→ G T • Let G = � g � and α, s be randomly chosen from Z ∗ p • Given g , g s , g s 2 , . . . , g s q , g α , g α s , g α s 2 , . . . , g α s q , suppose a PPT adversary can output c , ˆ c such that ˆ c = c α • The only way he can do so is by choosing some a 0 , a 1 , . . . , a q ∈ Z p g s i � a i and ˆ g α s i � a i � � and setting c = Π q c = Π q i = 0 i = 0 8 / 24

Checking Polynomial Evaluation • Prover knows a polynomial p ( x ) ∈ F p [ x ] of degree d • Verifier wants to check that prover computes g p ( s ) for some randomly chosen s ∈ F p • Verifier does not care which p ( x ) is used but cares about the evaluation point s • Verifier sends g s i , i = 0 , 1 , 2 , . . . , d to prover i = 0 p i x i , prover can compute g p ( s ) as • If p ( x ) = � d g s i � p i g p ( s ) = Π d � i = 0 • But prover could have computed g p ( t ) for some t � = s • Verifier also sends g α s i , i = 0 , 1 , 2 , . . . , d for some randomly chosen α ∈ F ∗ p • Prover can now compute g α p ( s ) • Anyone can check that e ( g α , g p ( s ) ) = e ( g α p ( s ) , g ) • But why can’t the prover cheat by returning g p ( t ) and g α p ( t ) ? 9 / 24

Schwartz-Zippel Lemma Lemma Let F be any field. For any nonzero polynomial f ∈ F [ x ] of degree d and any finite subset S of F , Pr [ f ( s ) = 0 ] ≤ d | S | when s is chosen uniformly from S. • Suppose F is a finite field of order ≈ 2 256 • If s is chosen uniformly from F , then it is unlikely to be a root of low-degree polynomials • Equality of polynomials can be checked by evaluating them at the same random point • Application: Suppose prover wants to prover that he knows a secret polynomial p ( x ) which is divisible by another public polynomial t ( x ) • Verifier sends g s i , g α s i , i = 0 , 1 , 2 , . . . , d to prover i = 0 h i x i and calculates g h ( s ) using the • Prover computes h ( x ) = p ( x ) t ( x ) = � d coefficients h i • Verifier gets g p ( s ) , g h ( s ) , g α p ( s ) , g α h ( s ) and checks � g , g p ( s ) � � g h ( s ) , g t ( s ) � e = e � g α , g p ( s ) � � � � g α , g h ( s ) � � � g α p ( s ) , g g α h ( s ) , g e = e , e = e 10 / 24

Arithmetic Circuits Circuits consisting of additions and multiplications modulo p 11 / 24

Quadratic Arithmetic Programs Definition A QAP Q over a field F contains three sets of polynomials V = { v k ( x ) } , W = { w k ( x ) } , Y = { y k ( x ) } , for k ∈ { 0 , 1 , . . . , m } , and a target polynomial t ( x ) . Suppose f : F n �→ F n ′ having input variables with labels 1 , 2 , . . . , n and output variables with labels n + 1 , . . . , n + n ′ . We say that Q computes f if for N = n + n ′ : ( a 1 , a 2 , . . . , a N ) ∈ F N is a valid assignment of f ’s inputs and outputs, if and only if there exist ( a N + 1 , . . . , a m ) such that t ( x ) divides p ( x ) where � m � � m � � m � � � � p ( x ) = v 0 ( x ) + a k v k ( x ) · w 0 ( x ) + a k w k ( x ) − y 0 ( x ) + a k y k ( x ) . k = 1 k = 1 k = 1 So there must exist polynomial h ( x ) such that h ( x ) t ( x ) = p ( x ) . The size of Q is m , and the degree of Q is the degree of t ( x ) . • Arithmetic circuits can be mapped to QAPs efficiently 12 / 24

QAP for an Arithmetic Circuit • a 5 = ( a 1 + 7 a 2 )( a 2 − 2 a 3 ) and a 6 = ( a 2 − 2 a 3 ) a 4 • Choose distinct r 5 , r 6 ∈ F and t ( x ) = ( x − r 5 )( x − r 6 ) • Choose polynomials { v k ( x ) } , { w k ( x ) } , { y k ( x ) } , k = 0 , 1 , . . . , m such that 6 6 6 � � � a k v k ( r 5 ) = a 1 + 7 a 2 , a k w k ( r 5 ) = a 2 − 2 a 3 , a k y k ( r 5 ) = a 5 , k = 0 k = 0 k = 0 6 6 6 � � � a k v k ( r 6 ) = a 2 − 2 a 3 , a k w k ( r 6 ) = a 4 , a k y k ( r 6 ) = a 6 . k = 0 k = 0 k = 0 13 / 24

Pinocchio SNARK from QAP • Let R = { ( u , wit ) } ⊂ F n × F n 1 be a relation where u ∈ F n is the statement and wit ∈ F n 1 is the witness • Suppose R can verified with an arithmetic circuit, i.e. there is an arithmetic function f such that f ( u ) = 1 iff there exists a wit such that ( u , wit ) ∈ R • A QAP for f is derived which has N = n + 1 input-output variables • Prover has to show he knows ( a 1 , . . . , a m ) such that t ( x ) divides v ( x ) w ( x ) − y ( x ) where t ( x ) has degree d • Example ( u , wit ) ∈ { 0 , 1 } 256 × { 0 , 1 } 100 | u = SHA256 ( wit ) � � • Let R = • The corresponding f will compute SHA256 ( wit ) and compare it to u • f has N = 256 + 1 = 257 input-output-related variables • The QAP for f will have additional variables a N + 1 , . . . , a m corresponding to witness values and other circuit gate inputs and outputs 14 / 24