a brief on snarks & qa-nizkskodu.ut.ee/~behzad87/index_files/ait_brief-snark_qanizk19... · 2020....
TRANSCRIPT
-
A brief on SNARKs & QA-NIZKs
Behzad Abdolmaleki
University of Tartu, Estonia
27.08.2019 / AIT, Vienna
-
29\
Interactive Proofs
2
OK, xLWitness w
(x,w) RL
I am the doctor! pk
pk, sk
Prove it!
sk
Prover wants to convince Verifier that x has someproperty (i.e. “I am the doctor!” Or “x is in language L”)
Commit
Challenge
Responds
-
29\ 3
Non-Interactive Proofs
ProofOK, xLWitness w
(x,w) RL
Prover wants to convince Verifier that “𝑥 is in language L”.
Non-Interactive proofs usually are constructed in two models:
Random Oracle (RO) Model [Micali 94]
Commit
Challenge
Responds
Common Reference String (CRS)
Model
P V
ProofP V
CRS
P VCom, Hash(Com), Responds
- Trusted Third Party (TTP) generates CRS
-
29\
Non-interactive Zero-knowledge (NIZK)
4
x ∈ L, w
π = P (x, w)
CorrectnessSoundnessZero-knowledge
-
29\
Non-interactive Zero-knowledge
PRIViLEDGE 5
x ∈ L, w
π = P (x, w)
-
29\
Non-interactive Zero-knowledge
PRIViLEDGE 6
x ∈ L, w
π = P (x, w)
● P should be able to compute π only when knowing valid w
● Sim should be able to compute π without knowing w
● Sim must have some extra power
-
29\
NIZK in CRS model
7
x ∈ L, w
π = P (crs , x, w)
crs, td
Imag
inar
y gu
y
-
29\
NIZK in CRS model
8
x ∈ L, w
π = P (crs , x, w)
crs, td
Imag
inar
y gu
y
-
29\
Special Type of NIZKs: zk-SNARKs
9
OK, xL
Witness w
(x,w) RL
(CRS, td) ←CRSGen(1𝑛)
proof ←Prove(CRS, witness)
proof
{1, 0} ←Verify(CRS, word, proof)
We are interested to make them succinct as much as possible.
Succinct: Small size of proof and low verification complexity
[Groth 2010] [Lipmaa 2012] [Gennaro GentryParno Raykova 2013]
Proof = 3 group elements
[Groth 2016]
-
29\
Inventions in NIZK: zk-SNARKs
10
for whole NP without costly reductions
For known arithmetic circuit C & partially unknown x, y = C (x)
Very strong (non-black-box) cryptographic assumptionsKnowledge assumption: if P outputted x then P must know y[Gentry Wichs 2011]: non-black-box assumptions needed
The CRS depends on concrete circuit
need to generate new CRS for each circuit!
Applications: verifiable computation, privacy-preserving cryptocurrencies, …
-
What If CRS Generator is
Malicious ?
11
-
29\12
Subversion security: Trust issues
π = P (crs , x, w)
x, w x
V (crs, x, π) ?
Interested in zero knowledgecrs should contain trusted crszk
Interested in soundnesscrs should contain trusted crssnd
Need to trust crszkNeed to trust crssnd
(crszk, crssnd), td
-
29\13
Subversion security: Trust issues
π = P (crs , x, w)
x, w x
V (crs, x, π) ?
Subversion ZK: zero knowledge even if CRS creator is malicious
Subversion SND: soundness even if CRS creator is malicious
Interested in zero knowledgecrs should contain trusted crszk
Interested in soundnesscrs should contain trusted crssnd
Research direction: minimize the needed trust
Need to trust crszkNeed to trust crssnd
(crszk, crssnd), td
-
29\14
Sub-ZK in CRS model
x ∈ L, w
π = P (crs, x, w)
crs, td
If crs creator is malicious, there is no guarantee that:• crs is correct• td exists • crs is from correct distribution
Imag
inar
y gu
y
-
29\15
Impossibility Result
● [Bellare, Fuchsbauer, Scafuro 2016]
●
● [Abdolmaleki, Baghery, Lipmaa, Zajac 2017]● Efficient SND + Sub-ZK SNARK for NP
● Asiacrypt 2017 “top three” paper
● [Fuchsbauer 2018]: related/improved constructions
WI ZK Sub-ZK
SND Possible Possible Possible
Sub-SND Possible Impossible Impossible
-
29\
[ABLZ17] recipe for Sub-ZK SNARK
16
Design a public algorithm CV for checking crs is correct If CV(crs) = 1: there exists some td
Proving Sub-ZKIf CV(crs) = 0: no need to simulateIf CV(crs) = 1:
Use extractor Ext to recover (unique) td from crsSimulate by using extracted ExtExt exists by assumption
-
29\
Sub-ZK SNARK
17
OK, xLWitness w
(x,w) RL
(CRS, td) ←CRSGen(1𝑛)
proof ←Prove(CRS, witness)
proof
{1, 0} ←Verify(CRS, word, proof)
If 1 ← CV(crs)
Then
-
29\
Summary of SNARK Branch
18
…
ZK proofs
Interactive Non-interactive
CRS ModelRandom Oracle Model
Privacy-preserving technologies
… zk-SNARKs
Subversion zk-SNARKsUpdatable zk-SNARKs
Privacy-preserving Coins (Zcash,…),Smart Contracts (HAWK,…),E-voting ….
-
More Faster NIZKs for Linear Language:
19
Quasi-Adaptive NIZK (QA-NIZK)
-
29\
Quasi-Adaptive NIZK
20
OK, xLWitness w
(x,w) RL
CRS
proof
|Proof | = 1 group element
[Roy-Julta Asiacrypt2013] [Roy-Julta Crypto2014] [Kilts-Wee Eurocrypt2015]
Language parameter ρ is chosen before the CRS ρ cannot adaptively depend on the CRS Usually, ρ = some public key
ρ
•Applications in constructing efficient cryptographic primitives (commitment schemes, IBE, signature schemes, …)
-
29\
QA-NIZK
21
● “ [Kiltz, Wee 2015]● most efficient known QA-NIZK for SUBSPACE
language
● Task of QA-NIZK for SUBSPACE:● Fix language parameter ρ 1 ∈ 𝐺
𝑛 × 𝑚
● Prove in zero knowledge that [ 𝑥]1= ρ 1𝑤 for some 𝑤∈ ℤ𝑝
𝑚
𝐿 = 𝑥 1 ∈ 𝐺1𝑛 | ∃ 𝑤 ∈ ℤ𝑝
𝑚 𝑠. 𝑡 [ 𝑥]1 = ρ 1𝑤
-
29\22
Our recipe: Sub-QA-NIZK
● Design a public algorithm PKV for checking crs is correct
● If PKV(ρ, crs ) = 1: there exists some td
● Proving Sub-ZK
● If PKV(ρ, crs ) = 0: no need to simulate
● If PKV(ρ, crs ) = 1:
● Use extractor Ext to recover td from crs Simulate by using
extracted Ext
● Ext exists by KWKE assumption.
Extraction of td requires non-black-box “knowledge assumption”
-
29\23
Our recipe: Sub-QA-NIZK
● Design a public algorithm PKV for checking crs is correct
● If PKV(ρ, crs ) = 1: there exists some td
● Proving Sub-ZK
● If PKV(ρ, crs ) = 0: no need to simulate
● If PKV(ρ, crs ) = 1:
● Use extractor Ext to recover td from crs Simulate by using
extracted Ext
● Ext exists by KWKE assumption.
Extraction of td requires non-black-box “knowledge assumption”
Weakness of the current Sub-QANIZK and open problems:
The PKV is not general and for different security parameter one needs to define a new algorithm PKV.
It only works for some especial construction and for extraction it needs some invertible matrix (crs elements)
It does not fit with Simulation Sound Extractable property
-
29\24
Recent Inventions in NIZK
SNARK QA-NIZK
succinct non-interactive argument of knowledge
quasi-adaptive non-interactive zero knowledge
-
29\25
Recent Inventions in NIZK
SNARK Succinct QA-NIZK
Versatility Whole NP Limited class of languages
Efficiency 3 group elements 1 group element
Assumptions Non-black-box (knowledge) Very standard
[Groth 2010],[Lipmaa 2012],[Gennaro Gentry Parno Raykova 2013],[Parno Howell Gentry Raykova 2013],[Groth 2016],[Groth Maller 2017],[Abdolmaleki Baghery Lipmaa Zajac 2017],…
[Jutla Roy 2013],[Libert Peters Joye Yung 2014],[Jutla Roy 2014],[Abdalla Benhamouda Pointcheval 2015],
[Kiltz-Wee 2015],[González Hevia Ràfols 2015],[Libert Peters Joye Yung 2014],[Abdolmaleki Lipmaa Siim Zajac eprit2018-19],
Sub-zk-SNARKSub-zk-QA-NIZK
-
29\
The Tree of Succinct NIZK
26
NIZK in CRS Model
zk-SNARKs
Sub- zk-SNARKsUpdatable zk-SNARKs
QA-NIZKs
Updatable QANIZKs Sub-QANIZKs
Simulation Sound Extractable (sub) zk-SNARKs
COCO Framework?
-
29\
The Tree of Succinct NIZK
27
NIZK in CRS Model
zk-SNARKs
Sub- zk-SNARKsUpdatable zk-SNARKs
QA-NIZKs
Updatable QANIZKs Sub-QANIZKs
Simulation Sound Extractable (sub) zk-SNARKs
COCO Framework
SSE-sub-QA-NIZK?
(Under working with Daniel)
?
Ad-Hoc based
Ad-Hoc based
Modular based
(Under working with Daniel)
More Efficient SSE zk-SNARKs?
(Under working with Sebastian and Daniel)
-
Thank you
European Union's H2020 European Union's H2020
-
References
[1] B. Abdolmaleki, K. Baghery, H. Lipmaa, and M. Zajac, "A subversion-resistant SNARK," in ASIACRYPT , 2017.
[2] G. Fuchsbauer, "Subversion-zero-knowledge snarks," in PKC , volume 10769 of
LNCS, pages 315–347. Springer, , 2018.
[3] B. Abdolmaleki, H. Lipmaa, J. Siimand M. Zajac, "On QA-NIZK in the BPK
Model," in Cryptology ePrintArchive, Report 2018/877.
https://eprint.iacr.org/2018/877, 2018.
[4] B. Abdolmaleki, S. Ramacher, and D. Slamanig, "Lift-and-Sift: obtaining
simulation extractable subversion and updatable snarksgenerically," in
Cryptology ePrintArchive, Report 2020/062, 2020.
https://eprint.iacr.org/2020/062, 2020.
[5] B.Abdolmaleki and D.Slamanig, "Unbounded Simulation-Sound Subversion
Resistant Quasi-Adaptive NIZK Proofs and Applications to Modular zk-
SNARKs," in Cryptology ePrint Archive, Report 2020/364, 2020.
[6] B.Abdolmaleki, S.Ramacher, and D.Slamanig, "SoK: Lifting Transformations for
Simulation Extractable Subversion and Updatable SNARKs," in The 3rd ZKProof
Workshop., 2020.