Zero-Knowledge Argument for Polynomial Evaluation with Applications to Blacklists
Stephanie Bayer
Jens Groth
University College London
Polynomial
π£
π’
(π’ ,π£ )
Zero-knowledge argument for correct polynomial evaluation
Statement:
such that
Prover Verifier
Witness
SoundnessStatement is true
Zero-knowledgeNothing else revealed remains secret
π£π’
Membership and non-membership proofs
β’ List andβ’ Define
β’ If then β Prove where committed trivially
β’ If then β Prove where and prove
π’
π’0
π’π£
Zero-knowledge argument for correct polynomial evaluation
Statement:
such that
Prover Verifier
Witness Special honest-verifier zero-knowledgeGiven any challenge possible to simulate the argument
π£π’
3-move argument
Public coinVerifier picks challenge
Argument of knowledgeCan extract such that
Easy to convert to full zero-knowledge
Commitment properties
β’ Additively homomorphic
β’ SHVZK argument for multiplicative relationship
β’ Examplesβ Pedersen commitments β ElGamal-style commitments
π πβ ΒΏ π+π
π π ππ
Simple SHVZK argument for correct polynomial evaluation
Hornerβs rule gives us
Commit to the intermediate values and prove correct
π£
π’
ππ·β 1+π’ππ·
π’(ππ·β1+π’ππ·))
π1+π’β¦
πmultπmult
Efficiency β using Pedersen commitments
Degree D polynomial Rounds Prover Verifier Comm.
Chaum and Ped. 1992 3 expo. expo. group
Brands et al. 2007 3 . expo. group
Degree D polynomial Rounds Prover Verifier Comm.
This work 3 expo. mul.
expo. mult.
group field
Rewriting the polynomial
Prover wants to demonstrate
Without loss of generality
Write in binary to get
Commit to powers of
π’ π’2 π’4 π’2π
πmult πmult πmult
β¦
β¦
commitments and arguments
Zero-knowledge argument of knowledge of power of
Statement:
Accept if opens to
Witness π’2
π
π π
π πβπ π π₯βπππ₯
π π=π₯π’2π
+ π π
π’2π π π
π₯β
KnowledgeAnswers to 2 challenges
would reveal
Zero-knowledge is uniformly random regardless of
Masked powers of
π’ π’2 π’4 π’2π
β¦
π 0=π₯π’20
+ π 0
π 1=π₯π’21
+ π 1
π 2=π₯π’22+ π 2
π π=π₯π’2π
+ π π
A helpful polynomial
πΏπ πΏ1 πΏ0β¦π£
CompletenessIf prover okSoundnessIf prover fails
commitments
SHVZK argument for point on polynomial
βππ ,β¦ ,π0=0
1
πππβ¦ π0βπ=0
π
π ππ π π₯1β π πAccept if is inside
π₯βππ
π π=π₯π’2π
+ π π
Statement: such that π£π’
πΏπ πΏ1 πΏ0β¦
π£ πΏπ πΏ1 πΏ0β¦π₯π+1
β π₯π
β π₯β β
Soundness
SHVZK argument for polynomial evaluation
β’ 3-move public coin argumentβ’ Simple setup with commitment key β’ Perfect completenessβ’ Comp. soundness based on discrete log. problemβ’ Perfect special honest verifier zero-knowledge
Statement: such that π£π’
Efficiency β using Pedersen commitments
Degree D polynomial Rounds Prover Verifier Comm.
This work 3 expo. mul.
expo. mult.
group field
Degree D Rounds Prover Verifier Comm.
10 3 13 ms 17 ms 8 KB
100 3 24 ms 30 ms 15 KB
1000 3 41 ms 45 ms 21 KB
10000 3 182 ms 81 ms 29 KB
100000 3 1,420 ms 217 ms 35 KB
1000000 3 15,512 ms 1,315 ms 41 KB
256-bit subgroup modulo 1536-bit prime on MacBook, 2.54 GHz