zk-SNARKs Panagiotis Grontas NTUA-advTCS 01/06/2017 1 / 68 - PowerPoint PPT Presentation

Introduction Prerequisites The Proof Applications References zk-SNARKs Panagiotis Grontas NTUA-advTCS 01/06/2017 1 / 68 (NTUA-advTCS) zk-SNARKs

Introduction Effjciently verify the correctness of computations without executing (NTUA-advTCS) 2 / 68 Anonymous bitcoin (ZCash) Verify cloud computations (centralised, decentralised) Applications them Use Prerequisites K nowledge Z ero K nowledge S uccinct N on I nteractive A rguments Of zkSnark From theory to practice... References Applications The Proof zk-SNARKs

Introduction to both (NTUA-advTCS) 3 / 68 minimum of sending u and receiving z Client: its computing power should be confjned to the bare Server: private input confjdentiality Client: computation correctness (integrity) zk-SNARKs Prerequisites A server owns a private input w (e.g. private DB) A client owns input u (e.g query) Application Model References Applications The Proof The client wishes to learn z = f ( u , w ) for a function f known

Introduction Prerequisites (NTUA-advTCS) 4 / 68 access to a witness of K nowledge: The proof cannot be constructed without A rguments: Soundness is guaranteed only against a with the verifjer and are publicly verifjable strings N on I nteractive: The proofs are created without interaction the running time of f zk-SNARKs S uccinct: The proof is tiny compared to the computation the validity of the computation What zk-Snarks ofger References Applications The Proof Z ero K nowledge: The client (verifjer V ) learns nothing but the proof size is constant O λ (1) (depends only on the security parameter λ ) verifjcation time is O λ ( | f | + | u | + | z | ) and does not depend on computationally bounded server (prover P )

Introduction We can use PCP to construct ZK proofs (in theory) (NTUA-advTCS) 5 / 68 and cryptographic assumptions Yes, using QSPs and QAP - a better characterisation of NP Can we construct SNARKs without using PCPs? The proofs are hugely ineffjcient Wigderson) (ZKP for 3-COL) Prerequisites Position in the complexity landscape... References Applications The Proof zk-SNARKs NP = PCP [ O ( logn ) , O (1)] One-Way Functions ⇒ NP ⊆ ZK (Goldreich, Micali,

Introduction 2 (NTUA-advTCS) 6 / 68 Randomise for ZK: 4 3 Prerequisites The verifjer chooses a random evaluation point that must be kept secret: Transform the verifjcation of the computation to checking a relation between secret polynomials: 1 Main idea References Applications The Proof zk-SNARKs computation validity ↔ p ( x ) q ( x ) = s ( x ) r ( x ) p ( x 0 ) q ( x 0 ) = s ( x 0 ) r ( x 0 ) Homomorphic Encryption to compute the evaluation of the polynomials at x 0 by using Enc ( x 0 ) : Enc ( p ( x 0 )) Enc ( q ( x 0 )) = Enc ( s ( x 0 )) Enc ( r ( x 0 )) Enc ( k + p ( x 0 )) Enc ( k + q ( x 0 )) = Enc ( k + s ( x 0 )) Enc ( k r ( x 0 ))

Introduction Computation as a dialogue (NTUA-advTCS) 7 / 68 A breakthrough with many theoretical and practical applications Zero Knowledge Proofs language Prerequisites zk-SNARKs Interactive proof systems Shaffj Goldwasser, Silvio Micali and Charles Rackofg, 1985 ZK Proofs ZK Proofs References Applications The Proof Prover ( P ): wants to prove that a string belongs to a Verifjer ( V ): wants to check the proof st: A correct proof convinces V with overwhelming probability A wrong proof convinces V with negligible probability V is convinced without learning anything else

Introduction Yes (NTUA-advTCS) 8 / 68 Repeat to reduce He randomly decides to switch hands or not Prerequisites zk-SNARKs An easy example ZK Proofs References Applications The Proof V is color blind O P holds two identical balls of difgerent color Can the V be convinced of the difgerent colors? P hands the balls to V (commit) V hides the balls behind his back, one in each hand V presents the balls to P (challenge) P responds if the balls have switched hands (response) V accepts or not Malicious P : Cheating Probability 50 %

Introduction Prerequisites (NTUA-advTCS) 9 / 68 protocol zk-SNARKs Defjnitions: Notation ZK Proofs References Applications The Proof Language L ∈ NP Polynomial Turing Machine M x ∈ L ⇔ ∃ w ∈ { 0 , 1 } p ( | x | ) : M ( x , w ) = 1 2 PPT TM P , V < P ( x , w ) , V ( x ) > is the interaction between P , V with common public input x and private P input w . out V < P ( x , w ) , V ( x ) > is the output of V at the end of the

Introduction Completeness (NTUA-advTCS) 10 / 68 Note: Prerequisites Properties:Soundness Properties: Completeness and Soundness ZK Proofs References Applications The Proof zk-SNARKs An honest P , convinces an honest V with certainty: If x ∈ L and M ( x , w ) = 1 then: Pr [ out V < P ( x , w ) , V ( x ) > ( x ) = 1] = 1 A malicious P ( P ∗ ), only convinces an honest V , with negligible ∈ L ฀฀฀฀ ∀ ( P ∗ , w ) : probability. If x / Pr [ out V < P ∗ ( x , w ) , V ( x ) > ( x ) = 1] = negl ( λ ) Proof of Knowledge: P ∗ is not PPT. Argument of Knowledge: O P ∗ is PPT.

Introduction claim. (NTUA-advTCS) 11 / 68 Intuition does not follow the protocol and cheats in order to learn w Prerequisites zk-SNARKs ZK Proofs Properties:(Perfect) Zero Knowledge References Applications The Proof V does not gain any more knowledge than the validity of the P ’s For each V ∗ there is a PPT S : If x ∈ L and M ( x , w ) = 1 the random variables: out V ∗ < P ( x , w ) , V ∗ ( x ) > ( x ) and out V ∗ < S ( x ) , V ∗ ( x ) > ( x ) follow the same distribution: We allow a malicious verifjer that What ever the V can learn after interacting with the P , can be learnt by interacting with S (disregarding P )

Introduction Prerequisites (NTUA-advTCS) 12 / 68 to extract) and rewind it We allow rewinds: A theoretical construction with practical applications Constructing the simulator ZK Proofs References Applications The Proof zk-SNARKs Reminder : S does not have access to the witness S take P ’s place during the interaction with V We cannot distinguish between < S , V > and < P , V > when V sets a challenge that cannot be answered by S then we stop ZK if despite the rewind V accepts at some point Why? Because he cannot distinguish between P (with the witness) and S (without the witness) As long as S is PPT As a result V extracts the same information from P and S (nothing

Introduction Proof that a ciphertext contains a particular message (NTUA-advTCS) 13 / 68 releasing any private input In general: Proof that a player follows a protocol without Anti-Malleability Digital signatures Transmission and processing is not needed Prerequisites Proof that the user know the password Authentication without passwords Cryptographic Applications ZK Proofs References Applications The Proof zk-SNARKs

Introduction challenge space (honest) (NTUA-advTCS) 14 / 68 the witness Two execution of the protocol with the same commitment reveal Special Soundness the random challenge. zk-SNARKs Prerequisites A 3 round protocol with an honest verifjer and special soundness ZK Proofs References Applications The Proof Σ - protocols 1 Commit P commits to a value 2 Challenge V selects a random challenge uniformly from a 3 Response P responds using the commitment, the witness and

Introduction Prerequisites (NTUA-advTCS) 15 / 68 Proof of knowledge of x without releasing any more information Goal p zk-SNARKs Protocol input Knowledge of DLOG:Schnorr’s protocol I ZK Proofs References Applications The Proof Public: g is a generator of an order q subgroup of Z ∗ p with hard DLP and a random h ∈ Z ∗ q st: h = g x ( mod p ) Private: P knows a witness x ∈ Z ∗

Introduction q (NTUA-advTCS) 16 / 68 q Select and challenge with Prerequisites zk-SNARKs Knowledge of DLOG:Schnorr’s protocol II ZK Proofs References Applications The Proof Commit ( P → V ): Randomly Select t ∈ R Z ∗ Compute y = g t mod p . Send y to V . Challenge ( V → P ): c ∈ R Z ∗ Response ( P → V ): P computes s = t + cx mod q and sends it to V V accepts ifg g s = yh c ( mod p )

Introduction Prerequisites (NTUA-advTCS) 17 / 68 successful protocol transcripts negligible - repeat to decrease zk-SNARKs Completeness Properties I ZK Proofs References Applications The Proof g s = g t + cx = g t g cx = yh c ( mod p ) Soundness Probability that P ∗ cheats an honest verifjer: 1 q - Special soundness Let ( y , c , s ) nad ( y , c ′ , s ′ ) be two g s = yh c ฀฀฀ g s ′ = yh c ′ ⇒ g s h − c = g s ′ h − c ′ ⇒ g s − xc = g s ′ − xc ′ ⇒ s − xc = s ′ − xc ′ ⇒ x = c ′ − c s − s Since P can answer these 2 questions he knows DLOG of h

Introduction A cheating verifjer does not choose randomly (NTUA-advTCS) 18 / 68 How to add ZK: Prerequisites In the simulated execution it will switch challenge Zero knowledge : no Properties II ZK Proofs References Applications The Proof zk-SNARKs but bases each challenge to the commitment received before S S will not be able to respond V commits to randomness before the fjrst message by P or Challenge space { 0 , 1 } In this case V has only two options. As a result the S can prepare for both.