zk proofs cntd composition zk proofs cntd composition
play

ZK Proofs (cntd.) Composition ZK Proofs (cntd.) Composition - PowerPoint PPT Presentation

Apr 09, 2023 •43 likes •1.23k views

ZK Proofs (cntd.) Composition ZK Proofs (cntd.) Composition Lecture 16 An Example RECALL An Example RECALL Graph Isomorphism An Example RECALL Graph Isomorphism (G 0 ,G 1 ) in L iff there exists an isomorphism such that (G 0 )=G 1

  1. ZK Property (in other pict’ s) Classical definition uses simulation only for corrupt receiver; and uses only standalone security: Environment gets only a transcript at the end x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL

  2. SIM ZK x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL

  3. SIM ZK • SIM-ZK would require simulation also when prover is corrupt x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL

  4. SIM ZK • SIM-ZK would require simulation also when prover is corrupt • Then simulator is a witness extractor x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL

  5. SIM ZK • SIM-ZK would require simulation also when prover is corrupt • Then simulator is a witness extractor • Adding this (in standalone setting) makes it a Proof of Knowledge x,w x F R proto proto i’face x Secure (and correct) if: ∀ ∃ s.t. ∀ output of is distributed Env Env identically in REAL IDEAL REAL and IDEAL

  6. A ZK Proof for Graph Colorability

  7. A ZK Proof for Graph Colorability G,coloring

  8. A ZK Proof for Graph Colorability Uses a commitment protocol as a subroutine F G,coloring

  9. A ZK Proof for Graph Colorability Uses a commitment protocol as a subroutine F Use random colors G,coloring

  10. A ZK Proof for Graph Colorability Uses a commitment protocol as a subroutine F committed Use random colors G,coloring

  11. A ZK Proof for Graph Colorability Uses a commitment protocol as a subroutine F committed pick random edge Use random edge colors G,coloring

  12. A ZK Proof for Graph Colorability Uses a commitment protocol as a subroutine F committed reveal edge pick random edge Use random edge colors G,coloring

  13. A ZK Proof for Graph Colorability Uses a commitment protocol as a subroutine F committed reveal edge pick random edge Use random edge colors distinct colors? G,coloring

  14. A ZK Proof for Graph Colorability Uses a commitment protocol as a subroutine F committed reveal edge pick random edge Use random edge colors distinct colors? G,coloring OK

  15. A ZK Proof for Graph Colorability Uses a commitment protocol as a subroutine At least 1/m probability of catching a wrong proof F committed reveal edge pick random edge Use random edge colors distinct colors? G,coloring OK

  16. A ZK Proof for Graph Colorability Uses a commitment protocol as a subroutine At least 1/m probability of catching a wrong proof F Soundness amplification: committed Repeat say mk times 
 reveal edge (with independent color pick random edge permutations) Use random edge colors distinct colors? G,coloring OK

  17. A Commitment Protocol

  18. A Commitment Protocol Using a OWP f and a hardcore predicate for it B

  19. A Commitment Protocol Using a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding

  20. A Commitment Protocol Using a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding b

  21. A Commitment Protocol Using a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding random x b

  22. A Commitment Protocol Using a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding random x f(x), b ⊕ B(x) b

  23. A Commitment Protocol Using a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding random x f(x), b ⊕ B(x) committed b

  24. A Commitment Protocol Using a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding random x f(x), b ⊕ B(x) committed b

  25. A Commitment Protocol Using a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding random x f(x), b ⊕ B(x) committed b reveal

  26. A Commitment Protocol Using a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding random x f(x), b ⊕ B(x) committed x,b b reveal

  27. A Commitment Protocol Using a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding random x f(x), b ⊕ B(x) committed x,b consistent? b reveal

  28. A Commitment Protocol Using a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding random x f(x), b ⊕ B(x) committed x,b consistent? b reveal b

  29. A Commitment Protocol Using a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding Perfectly binding because 
 f is a permutation random x f(x), b ⊕ B(x) committed x,b consistent? b reveal b

  30. A Commitment Protocol Using a OWP f and a hardcore predicate for it B Satisfies only classical (IND) security, in terms of hiding and binding Perfectly binding because 
 f is a permutation random x f(x), b ⊕ B(x) committed Hiding because B(x) is pseudorandom given x,b consistent? f(x) b reveal b

  31. ZK Results

  32. ZK Results IP and ZK defined [GMR’85]

  33. ZK Results IP and ZK defined [GMR’85] ZK for all NP languages [GMW’86]

  34. ZK Results IP and ZK defined [GMR’85] ZK for all NP languages [GMW’86] Assuming one-way functions exist

  35. ZK Results IP and ZK defined [GMR’85] ZK for all NP languages [GMW’86] Assuming one-way functions exist ZK for all of IP [BGGHKMR’88]

  36. ZK Results IP and ZK defined [GMR’85] ZK for all NP languages [GMW’86] Assuming one-way functions exist ZK for all of IP [BGGHKMR’88] Everything that can be proven can be proven in zero- knowledge! (Assuming OWF)

  37. ZK Results IP and ZK defined [GMR’85] ZK for all NP languages [GMW’86] Assuming one-way functions exist ZK for all of IP [BGGHKMR’88] Everything that can be proven can be proven in zero- knowledge! (Assuming OWF) Variants (known for NP)

  38. ZK Results IP and ZK defined [GMR’85] ZK for all NP languages [GMW’86] Assuming one-way functions exist ZK for all of IP [BGGHKMR’88] Everything that can be proven can be proven in zero- knowledge! (Assuming OWF) Variants (known for NP) ZKPoK, Statistical ZK Arguments, Non-Interactive ZK (using a common random string), Witness-Indistinguishable Proofs, …

  39. ZK Proofs: What for?

  40. ZK Proofs: What for? Authentication

  41. ZK Proofs: What for? Authentication Using ZK Proof of Knowledge

  42. ZK Proofs: What for? Authentication Using ZK Proof of Knowledge Canonical use: As a tool in larger protocols

  43. ZK Proofs: What for? Authentication Using ZK Proof of Knowledge Canonical use: As a tool in larger protocols To enforce “honest behavior” in protocols

  44. ZK Proofs: What for? Authentication Using ZK Proof of Knowledge Canonical use: As a tool in larger protocols To enforce “honest behavior” in protocols At each step prove in ZK it was done as prescribed

  45. ZK Proofs: What for? Authentication Using ZK Proof of Knowledge Canonical use: As a tool x 1 in larger protocols To enforce “honest behavior” in protocols At each step prove in ZK it was done as prescribed

  46. ZK Proofs: What for? Authentication Using ZK Proof of Knowledge Canonical use: As a tool x 1 in larger protocols Prove to me x 1 is what you should To enforce “honest have sent me now behavior” in protocols At each step prove in ZK it was done as prescribed

  47. ZK Proofs: What for? Authentication Using ZK Proof of Knowledge Canonical use: As a tool x 1 in larger protocols Prove to me x 1 is what you should To enforce “honest have sent me now behavior” in protocols At each step prove in ZK it was done as prescribed

  48. ZK Proofs: What for? Authentication Using ZK Proof of Knowledge Canonical use: As a tool x 1 in larger protocols Prove to me x 1 is what you should To enforce “honest have sent me now behavior” in OK protocols At each step prove in ZK it was done as prescribed

  49. ZK Proofs: What for? Authentication Using ZK Proof of Knowledge Canonical use: As a tool x 1 in larger protocols Prove to me x 1 is what you should To enforce “honest have sent me now y 1 behavior” in OK protocols At each step prove in ZK it was done as prescribed

  50. ZK Proofs: What for? Authentication Using ZK Proof of Knowledge Canonical use: As a tool x 1 in larger protocols Prove to me x 1 is what you should To enforce “honest have sent me now y 1 behavior” in OK protocols Prove y 1 is what... At each step prove in ZK it was done as prescribed

  51. ZK Proofs: What for? Authentication Using ZK Proof of Knowledge Canonical use: As a tool x 1 in larger protocols Prove to me x 1 is what you should To enforce “honest have sent me now y 1 behavior” in OK protocols Prove y 1 is what... At each step prove in ZK it was done as prescribed

  52. ZK Proofs: What for? Authentication Using ZK Proof of Knowledge Canonical use: As a tool x 1 in larger protocols Prove to me x 1 is what you should To enforce “honest have sent me now y 1 behavior” in OK protocols Prove y 1 is what... At each step prove OK in ZK it was done as prescribed

  53. ZK Proofs: What for? Authentication Using ZK Proof of Knowledge Canonical use: As a tool x 1 in larger protocols Prove to me x 1 is what you should To enforce “honest have sent me now y 1 behavior” in OK protocols Prove y 1 is what... At each step prove OK in ZK it was done x 2 as prescribed

Recommend

Universal Composition ZK Proofs (cntd.) Universal Composition Lecture 16 An Example RECALL An

Universal Composition ZK Proofs (cntd.) Universal Composition Lecture 16 An Example RECALL An

ZK Proofs (cntd.) Universal Composition ZK Proofs (cntd.) Universal Composition Lecture 16 An Example RECALL An Example RECALL Graph Isomorphism An Example RECALL Graph Isomorphism (G 0 ,G 1 ) in L iff there exists an isomorphism such

1.62k views • 158 slides
LegoSNARK Modular Design and Composition of Succinct Zero-Knowledge Proofs Matteo Campanelli,

LegoSNARK Modular Design and Composition of Succinct Zero-Knowledge Proofs Matteo Campanelli,

LegoSNARK Modular Design and Composition of Succinct Zero-Knowledge Proofs Matteo Campanelli, Dario Fiore , Anas Querol IMDEA Software Institute, Spain 2nd ZKProof Workshop April 10, 2019 zkSNARKs focus of this work from theoretical

535 views • 26 slides
Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Euclid (300 BC) Proofs, Continued Today Proofs : A style guide Proofs should be easy to verify. All the cleverness goes into finding/writing the proof, not reading/verifying it! P vs. NP (informally) : P =

682 views • 21 slides
Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
IN5060 Performance in distributed systems User studies (cntd) Does blur hide asynchrony? study

IN5060 Performance in distributed systems User studies (cntd) Does blur hide asynchrony? study

IN5060 Performance in distributed systems User studies (cntd) Does blur hide asynchrony? study by Ragnhild Eg (Simula) et al., 2011 Perception of synchrony Sensitivity for perceptual synchrony is subjective and depends on the content Spoken

2.11k views • 54 slides
Interactive Proofs Lecture 18 AM 1 Interactive Proofs 2 Interactive Proofs IP[k] 2

Interactive Proofs Lecture 18 AM 1 Interactive Proofs 2 Interactive Proofs IP[k] 2

Interactive Proofs Lecture 18 AM 1 Interactive Proofs 2 Interactive Proofs IP[k] 2 Interactive Proofs IP[k] IP[poly] = PSPACE 2 Interactive Proofs IP[k] IP[poly] = PSPACE IP protocol for TQBF using arithmetization 2 Interactive

1.75k views • 136 slides
Automated Web Service Composition in Practice: from Composition Requirements Specification to

Automated Web Service Composition in Practice: from Composition Requirements Specification to

Outline Automated Web Service Composition The Amazon-MPS Case study Conclusions and Future Works Automated Web Service Composition in Practice: from Composition Requirements Specification to Process Run. Annapaola Marconi , Marco Pistore and

730 views • 59 slides
Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10

Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10

Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10 - 12 September 2016, Hamburg) Gyesik Lee Hankyong National University 1 Overview 1. Verification of proofs 2. Hales proof of the Kepler

651 views • 43 slides
Framework for Metric Composition + Spatial Composition of Spatial Composition of Metrics Al

Framework for Metric Composition + Spatial Composition of Spatial Composition of Metrics Al

Framework for Metric Composition + Spatial Composition of Spatial Composition of Metrics Al Morton + many others M March, 2008 h 2008 draft-ietf-ippm-framework-compagg-06.txt Overall Framework (includes common concepts and concepts and

257 views • 9 slides
Proofs that, proofs why, and the analysis of paradoxes To Gerhard, on your 60th birthday Peter

Proofs that, proofs why, and the analysis of paradoxes To Gerhard, on your 60th birthday Peter

Proofs that, proofs why, and the analysis of paradoxes To Gerhard, on your 60th birthday Peter Schroeder-Heister Universit at T ubingen J agerfest Bern, 13.12.2013 p. 1 Russells antinomy in naive set theory Extend natural

688 views • 41 slides
NP-Hardness Proofs With What Problems We . . . What Problems We . . . Realistic Computers

NP-Hardness Proofs With What Problems We . . . What Problems We . . . Realistic Computers

NP-Hardness Proofs . . . Usual Proofs of NP- . . . Proofs of NP- . . . Pedagogical Problem . . . NP-Hardness Proofs With What Problems We . . . What Problems We . . . Realistic Computers Instead What Is NP-Hard: . . . Proof that . . . of

296 views • 12 slides
proofs of proximity for distribution testing (Distribution testing now with proofs!) Tom Gur

proofs of proximity for distribution testing (Distribution testing now with proofs!) Tom Gur

proofs of proximity for distribution testing (Distribution testing now with proofs!) Tom Gur (UC Berkeley) October 14, 2017 FOCS 2017 Workshop: Frontiers in Distribution Testing Joint work with Alessandro Chiesa (UC Berkeley) proofs of

2.25k views • 158 slides
Foundation of proofs Jim Hefferon http://joshua.smcvt.edu/proofs The need to prove In

Foundation of proofs Jim Hefferon http://joshua.smcvt.edu/proofs The need to prove In

Foundation of proofs Jim Hefferon http://joshua.smcvt.edu/proofs The need to prove In Mathematics we prove things The base angles of an isoceles triangle are equal seems obvious to a person with mathematical aptitude. a if a = b

678 views • 52 slides
Lecture 8: More Proofs review: proofs Start with hypotheses and facts Use rules of

Lecture 8: More Proofs review: proofs Start with hypotheses and facts Use rules of

cse 311: foundations of computing Fall 2015 Lecture 8: More Proofs review: proofs Start with hypotheses and facts Use rules of inference to extend set of facts Result is proved when it is included in the set Statement Fact 2

185 views • 18 slides
Flexiformality in Proofs: Bridging between Formal and Informal Proofs Michael Kohlhase Professur

Flexiformality in Proofs: Bridging between Formal and Informal Proofs Michael Kohlhase Professur

Flexiformality in Proofs: Bridging between Formal and Informal Proofs Michael Kohlhase Professur fr Wissensreprsentation und -verarbeitung Informatik, FAU Erlangen-Nrnberg http://kwarc.info 20. October 2016, Dagstuhl Seminar on

568 views • 39 slides
On Hypersequents and Labelled Sequents Translating Labelled Sequent Proofs to Hypersequent Proofs

On Hypersequents and Labelled Sequents Translating Labelled Sequent Proofs to Hypersequent Proofs

On Hypersequents and Labelled Sequents Translating Labelled Sequent Proofs to Hypersequent Proofs Robert Rothenberg 1 2 1 School of Computer Science University of St Andrews 2 Interactive Information, Ltd Edinburgh Workshop in Honour of Roy

393 views • 26 slides
JLO Composition for Voice, Iyl, Gngan, kb, Agogo, Skr , Clave & Piano

JLO Composition for Voice, Iyl, Gngan, kb, Agogo, Skr , Clave & Piano

JLO Composition for Voice, Iyl, Gngan, kb, Agogo, Skr , Clave & Piano Ay Olrnt Music Composition & Theory University of Pittsburgh USA A Symposium & Festival Bridging Musicology & Composition:

553 views • 16 slides
(Interactive) Proofs Proofs from 900 BCE until 1800s Pythagorass Theorem: Proof: Looks legit.

(Interactive) Proofs Proofs from 900 BCE until 1800s Pythagorass Theorem: Proof: Looks legit.

15-251: Great Theoretical Ideas in Computer Science Lecture 24 (Interactive) Proofs Proofs from 900 BCE until 1800s Pythagorass Theorem: Proof: Looks legit. Then there was Russell Principia Mathematica Volume 2 Russell and others worked

949 views • 50 slides
AP VS DE ENGLISH 11 th : AP Language and Composition or DE 111 and 112 12 th : AP Literature and

AP VS DE ENGLISH 11 th : AP Language and Composition or DE 111 and 112 12 th : AP Literature and

AP VS DE ENGLISH 11 th : AP Language and Composition or DE 111 and 112 12 th : AP Literature and Composition or DE 243 and 244 11 th grade AP English Language and DE 111 and 112: Composition Composition Credit: 1 Unit; GPA bump

620 views • 7 slides
Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive Proofs 2 Interactive Proofs Prover wants to convince verifier that x has some property 2 Interactive Proofs Prover wants to convince verifier

1.9k views • 174 slides
Proofs Bits of Wisdom on Solving Problems, Writing Proofs, and Enjoying the Process: How to

Proofs Bits of Wisdom on Solving Problems, Writing Proofs, and Enjoying the Process: How to

15-251: Great Theoretical Ideas in Computer Science Fall 2016 Lecture 1.5 August 31, 2016 Proofs Bits of Wisdom on Solving Problems, Writing Proofs, and Enjoying the Process: How to Succeed in This Class No specific topic covered

857 views • 61 slides
Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs Prover wants to convince verifier that x has some property Interactive Proofs Prover wants to convince verifier that x has some property i.e. x is in

3.29k views • 145 slides
Projects. Probabilistically Checkable Proofs... Probabilistically Checkable Proofs Whats a

Projects. Probabilistically Checkable Proofs... Probabilistically Checkable Proofs Whats a

Projects. Probabilistically Checkable Proofs... Probabilistically Checkable Proofs Whats a proof? Statement: A formula is satisfiable. Proof: assignment, a . Property: 5 minute presentations. Can check proof in polynomial time. A real

401 views • 3 slides
Opportunistic Composition of Human- Opportunistic composition Computer Interactions in Ambient

Opportunistic Composition of Human- Opportunistic composition Computer Interactions in Ambient

Opportunistic Composition of Human- Opportunistic composition Computer Interactions in Ambient Spaces Ambient env. Our approach Plastic HCI Augustin Degas Requirements Ergonomic criteria Sylvie Trouilhet - Jean-Paul Arcangeli, IRIT

379 views • 21 slides

More recommend