efficient zero-knowledge proofs jens groth university college london
TRANSCRIPT
Efficient Zero-Knowledge Proofs
Jens Groth
University College London
Zero-knowledge proof
Prover Verifier
Witness
Soundness:Statement is true
Zero-knowledge:Nothing but truth revealed
Statement
Internet voting
Voter Election authorities
Encpk(vote;r)
Witness:vote, r
Encryption:The vote is private
Is the vote valid?
The vote is valid
Soundness:The encrypted vote is valid
Zero-knowledge:The vote remains secret
Multi-party computation
Peggy Victor
x y
f(x,y)
Did you follow the protocol correctly?
I followed the protocol
correctly
Soundness:Peggy followed protocol
Zero-knowledge:Peggy’s input remains secret
zk proof
Signatures
Signer Verifier
sk = x
vk = f(x)
I know x and m
Fiat-Shamir heuristic:If ZK proof is public coin make it non-interactive by using hash-function to compute challenges
Signsk(m)
Statements
• Statements of the form xL– L is an NP-language– Prover’s witness is w such that (x,w) RL
• Examples– The plaintext of c using public key pk is m
• Witness is r such that c = Encpk(m;r)
– The circuit C is satisfiable• Witness w input to circuit such that C(w)=1
Circuit Satisfiability is an NP-complete language
Interactive proof system for L
• Efficient interactive algorithms P, V– The prover algorithm P takes as initial input a statement
x and a witness w such that (x,w)RL
– The verifier algorithm V takes as initial input a statement x
• P and V interact and afterwards V returns a bit b– b = 1 corresponds to accept– b = 0 corresponds to reject
• Completeness:– Honest P on (x,w)RL always makes honest V accept
Soundness
Soundness:Pr[ xL and b=1] 0
Adversary Verifier
xL
b
Proof or argument
• Proof (statistical/perfect soundness):– (P,V) is a proof system for L if an unbounded adversary
has negligible chance of convincing the verifier on a false statement
• Argument (computational soundness):– (P,V) is an argument system for L if a non-uniform
polynomial time adversary has negligible chance of convincing the verifier on a false statement
Zero-knowledge
• Zero-knowledge:– The proof only reveals the statement is true, it does not
reveal anything else
• Defined by simulation:– The adversary can simulate the proof without knowing
the prover’s witnessxL
xL
Efficiency
• Parameters– Communication– Verifier computation– Prover computation– Number of rounds of interaction
Fiat-Shamir heuristic:
Public coin protocol where verifier just sends random challenges.Can replace verifier with cryptographic hash-functionGives non-interactive protocol that may be verified many times.
Our goal
• Sublinear communication• Linear computation for verifier• Quasi-linear computation for prover• Constant round complexityCannot leak many bits about
witness. Zero-knowledge easy.
Must convince verifier using less bits than the witness. Soundness hard.
Example
• Language L = {(p,G,G,H,U,V) | w: U=Gw,V=Hw}– G is a prime order p group, G,H,U,V G
Prover Verifier
A=Gr, B=Hr
x
fwx+r
Accept ifUxA = Gf
VxB = Hf
Completeness: UxA = (Gw)xGr = Gwx+r = Gf
VxB = (Hw)xHr = Hwx+r = Hf
So verifier accepts
Soundness: UxA = (Gu)xGa = Gux+a = Gf
VxB = (Hv)xHb = Hvx+b = Hf
So ux+a vx+b, which is very unlikely for a randomly chosen x unless u = v and a = b
It is not zero-knowledge
It is special honest verifier zero-knowledge:Given x in advance simulate by picking f at random and computing A=GfU-x, B=HfV-x
A, B
f
Batch proofs
• Language L = {(p,G,G,H,U1,V1,…,Un,Vn) | w1,…,wn: U1=Gw1,V1=Hw1,…,Un=Gwn,Vn=Hwn}
Prover Verifier
A=Gr, B=Hr
x
fr+wixi
Accept ifAUi
xi = Gf
BVixi = Hf
A, B
f
Soundness: AUi
xi = Ga(Gui)xi = Ga+uixi = Gf
BVixi = Hb(Hvi)xi = Hb+vix
i = Hf
So a+uixi b+vixi , which is very unlikely for a randomly chosen x unless a = b and ui = vi
Schwartz-Zippel lemma
• Given two different polynomials p(X)q(X) in Zp[X] of degree n, the chance over random xZp that p(x)=q(x) is at most n/p
• In our batch proof, the probability of a+uixi b+vixi
is at most n/p for random x unless a = b and ui = vi
Pedersen commitment
• Commitment key ck = (p,G,G,H)• Commit(a;r) = GaHr where rZp
• Opening of commitment C is (a,r) such that C=GaHr
• Computationally binding:– Cannot find ab, r,s such that GaHr = GbHs
• Perfectly hiding:– No matter what a is we get random group element C
Generalized Pedersen commitment
• Commitment key ck = (p,G,G1,…,Gn,H)
• Commit(a1,…,an;r) = HrGiai where rZp
• Computationally binding:– Cannot find (a1,…,an,r)(b1,…,bn,s) for same C
• Perfectly hiding:– For all (a1,…,an) we get random group element C
Generalized Pedersen commitment
• Commit(a1,…,an;r) = Hr Giai where rZp
• Length-reducing:– A single group element even for large vectors (a1,…,an)
• Homomorphic:Commit(a1,…,an;r)∙Commit(b1,…,bn;s)
= Commit(a1+b1,…,an+bn;r+s)
Identical committed matrices A=B
A1=commit(a1;r1)
…
Am=commit(am;rn)
B1=commit(b1;s1)
…
Bm=commit(bm;sn)
Prover Verifier
C,D
x
f,r,s
Accept ifCAi
xi=com(f;r)
DBixi=com(f;s)
Soundness: CAi
xi = com(t+aixi;r) = com(f;r)
DBixi = com(t’+bixi;s) = com(f;s)
So t+aixi = t’+bixi, which is very unlikely for a randomly chosen x unless ai=bi and hence A=B
Completeness: C=commit(t;r0), D=commit(t;s0) f=t+aixi, r=r0+rixi
, s=s0+sixi
Efficiency
• Communication: 2m+n group and field elements• Verifier computes: 2m exponentiations• Prover computes: 2mn exponentiations• Rounds: 3
• Compare to O(mn) complexity using standard Pedersen commitments and no batching
Circuit Satisfiability
• General: NP-complete• Model: Resembles real computation• Benchmark: Widely used in ZK proofs
NAND
NAND
a1
b1
b2
1
a2
Standard zero-knowledge argument for CSAT
• Prove committed a1,a2,b1,b2{0,1}
• Prove committed a2=(a1b1), 1=(a2b2)
• Total cost for N-gate circuit:– O(N) group and field elements– O(N) exponentiations for both prover and verifier
NAND
NAND
Commit(a1;r1)
Commit(b2;s2)
Commit(b1;s1)
Commit(a2;r2)
Commit(1;0)
Committed a,b,c such that c=(ab)Homomorphic property gives 1-cMultiplication proof for 1-c=abCost O(1) group and field elementsO(1) exponentiations for proverO(1) exponentiations for verifier
Committed a{0,1}
Multiplication proof for a∙a=aCost O(1) group and field elementsO(1) exponentiations for proverO(1) exponentiations for verifier
Batch proof for Circuit Satisfiability
• Commit(a1,a2;r), Commit(b1,b2;s)
• Batch proof for a1,a2,b1,b2{0,1}Batch proof for a2=(a1b1), 1=(a2b2)
• Total cost for N-gate circuit:– O(N) group and field elements– O(N) multiplications for both prover and verifier
NAND
NAND
a1 a2
b1
b2
Batched commitment to wires of circuit
• Public commitment key (p,G,H,G1,…,Gn)
• Commit to a1,…,aN, where N=mn, asA1 = Commit(a11,…,a1n;r1)
…Am = Commit(am1,…,amn;rm)
• Cost of committing to N=mn field elements– Commitment key has n group elements– There are m commitments– Batched openings contain n field elements– Setting m=n the cost is O(N) group and field elements
Batch argument for committed wires being 0/1
• Want to showCommit(a11,…,a1n;r1)
… satisfy aij{0,1}Commit(am1,…,amn;rm)
• Equivalent to showing aij(aij-1)=0
• Define bij=aij-1 and si=ri and computeCommit(b11,…,b1n;s1) = Commit(a1;r1) Commit(-1;0)
…Commit(bm1,…,bmn;sm)=Commit(am;rm)Commit(-1;0)
• Now need to show aijbij=0
Batch product argument
• Want to show aijbij=0 for committed values
Commit(a11,…,a1n;r1) Commit(b11,…,b1n;s1) …
Commit(am1,…,amn;rm) Commit(bm1,…,bmn;sm)
• Let verifier pick random y,zZp
• Will demonstrate ijyiaijbijzj=0
• Schwartz-Zippel tells us unless for all i,j: a ijbij=0 negligible probability this is true
Simplifying the batch product argument
• Given y,z prover will demonstrate ijyiaijbijzj=0 for commitments
Commit(ai1,…,ain;ri) Commit(bi1,…,bin;si)
• Defining (u1,…,un)(v1,…,vn)=jujvjzj the prover’s task is to demonstrate iyiaibi=0
• Using the homomorphic property we haveCommit(yiai;yiri) = Commit(ai;ri)yi
• This simplifies reduces the prover’s task to showCommit(ai’;ri’) Commit(bi;si)
contains values that satisfy iai’bi=0
Idea behind batch ZK argument
b1 b2 b3
a1 a1b1 a1b2 a1b3
a2 a2b1 a2b2 a2b3
a3 a3b1 a3b2 a3b3
a1b1+a2b2+a3b3
Idea behind batch ZK argument
x-1b1 + x-2b2 + x-3b3
x1a1 a1b1 x-1a1b2 x-2a1b3
+x2a2 x1a2b1 a2b2 x-1a2b3
+x3a3 x2a3b1 x1a3b2 a3b3
a1b1+a2b2+a3b3
x-1(a1b2+a2b3)
x-2(a1b3)
x1(a2b1+a3b2)x2(a3b1)
Main part of the batch product argument
• Given commitments and weighted inner product Commit(a1;r1) Commit(b1;s1)
… …Commit(am;rm) Commit(bm;sm)
show they contain values that satisfy iaibi=0
• Prover sends commitments C-m,…,C-1,C1,…,Cm
Ck = Commit(ck;tk) ck=i-j=k aibj
• Verifier sends random challenge xZp*
• Prover gives zero-knowledge argument for(xiai)(x-jbj) = xkck
Use homomorphic properties to computeA = Ai
xi = Commit(xiai;xiri)
B = Bjx-j = Commit(x-jbj;x-jsj)
C = Ckxk = Commit(xkck;xktk)
The final ZK argument costs O(n) field elements and O(n) exponentiations for prover and verifier
Soundness:Look at coefficient for x0. The equation gives
i-j=0xi-jaibj = iaibi = c0 = 0
By the Schwartz-Zippel lemma negligible probability over x for this being true unless iaibi = 0 as we wanted to show
Total batch proof
• Goal: Prove N=mn committed aij{0,1}
• Method: aijbij=0 where bij=aij-1– Verifier sends challenges y,z– Prover sends C-m,…,C-1,C1,…,Cm
– Verifier sends challenge x– Prover argues A,B,C contains aj,bj,cj such that ajbj=cj
• Cost:– Communicates O(m+n) group and field elements– Verifier uses O(m+n) exponentiations
Prover’s computation
b1 b2 b3
a1 a1b1 a1b2 a1b3
a2 a2b1 a2b2 a2b3
a3 a3b1 a3b2 a3b3
a1b2+a2b3
a1b3
a2b1+a3b2a3b1
Naively m2n multiplications
Instead evaluate in 2m points 1,..., 2m and use polynomial interpolation to find coefficients of (aii)(bj-j) = ckk
Using FFT to evaluate aii and bj-j the cost is O(N log m)
Batch proof for Circuit Satisfiability
• Commit(a1,a2;r), Commit(b1,b2;s)
• Batch proof for a1,a2,b1,b2{0,1}
• Batch proof for a2=(a1b1), 1=(a2b2)
• Batch wire consistency proof
NAND
NAND
a1 a2
b1
b2
Wire consistency (sketch)
• Committed outputs of gates ai matching inputs bi to other gates in circuit
• Given permutation defined by circuit wiring prover wants to show bi = a(i)
• Verifier picks random challenge x• Prover demonstrates xibi = x(i)a(i)
• Cost:– Communication: O(m+n) elements– Verifier computation: O(N) multiplications– Prover computation: O(N log N) multiplications
Cost for N-gate circuit
• Standard argument– O(N) elements– O(N) verifier expos– O(N) prover expos– 3 rounds
• Batch argument– O(N) elements– O(N) verifier mults– O(N log N) prover mults– 5 rounds
Further developments
• Can they be even more efficient?• Yes, pairing-based techniques gives us
communication of O(N1/3) elements
• Can they be combined with group elements?• Yes
Efficient ZK arguments over fields & groups
• Can do addition using homomorphic properties• Can use our techniques to show multiplicative
relationship between committed values• Gives us linear algebra over committed elements
– For instance committed matrices satisfy AB=C
• Statements involving group elements and exponentiations– For instance C=ijAij
bij
Intuition
x-1b1 + x-2b2 + x-3b3
A1x1 A1
b1 A1x-1b2 A1
x-2b3
∙A2
x2 A2x1b1 A2
b2 A2x-1b3
∙A3
x3 A3x2b1 A3
x1b2 A3b3
A1x-2b3
A1x-1b2∙A2
x-1b3
A2x1b1∙A3
x1b2 A1b1∙A2
b2 ∙A3b3 A3
x2b1
Application to mix-nets
mπ(1) mπ(2) mπ(N)
…
π1
π2
π = π1π2
m1 m2 mN
Threshold decryption
Problem: Corrupt mix-server
mπ(1) mπ(2) m´π(N)
…
π1
π2
π = π1π2
m1 m2 mN
Threshold decryption
• Mix-server gets input ciphertexts c1,…,cN
• Permutes and rerandomizes ciphertextsc1’=c(1)∙(Gr1,Hr1), …, cN’=c(N)∙(GrN,HrN)
• Zero-knowledge argument for correct shuffle– Joint work with Stephanie Bayer, UCL– Communication: 16N elements– Verifier computation: 4N exponentiations– Prover computation: O(N log N) exponentiations– Rounds: 9
ElGamal shuffleStatement (c1,c1’,...,cN,cN’) can be huge.For instance election with 100,000 voters.
Experimental results for N=100,000N=mn, where m=16, |p|=1024, |q|=160Communication: 2.5 MBVerifier computation: 52 secondsProver computation: 135 seconds
Vision
• Zero-knowledge proofs should be the cheapest component in cryptographic protocols– Something you can just throw in automatically without
significant overhead
• Thank you!