one-out-of-many proofs: or how to leak a secret and spend a coin jens groth university college...
TRANSCRIPT
![Page 1: One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts](https://reader031.vdocument.in/reader031/viewer/2022032015/56649d345503460f94a0b0f7/html5/thumbnails/1.jpg)
One-out-of-Many Proofs:Or How to Leak a Secret and Spend a Coin
Jens Groth
University College London
Markulf Kohlweiss
Microsoft Research
![Page 2: One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts](https://reader031.vdocument.in/reader031/viewer/2022032015/56649d345503460f94a0b0f7/html5/thumbnails/2.jpg)
One-out-of-many statement
One of them holds gold!
But I will not tell you which one!
Prover Verifier
![Page 3: One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts](https://reader031.vdocument.in/reader031/viewer/2022032015/56649d345503460f94a0b0f7/html5/thumbnails/3.jpg)
One-out-of-many proof
Prover Verifier
Argument
Zero-knowledgeRemains secret which one of them holds gold
SoundnessOnly accept if one of them holds gold
![Page 4: One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts](https://reader031.vdocument.in/reader031/viewer/2022032015/56649d345503460f94a0b0f7/html5/thumbnails/4.jpg)
Ring signature
Ring signatureOne of them signed, but secret who it was
ConstructionNon-interactive one-of-many argument of knowledge of a secret key corresponding to one of their public keys
![Page 5: One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts](https://reader031.vdocument.in/reader031/viewer/2022032015/56649d345503460f94a0b0f7/html5/thumbnails/5.jpg)
Zerocoin
Coin spendingSerial number 1001101
AnonymityEach coin has unique secret serial number known only to ownerUse one-of-many proof to demonstrate one of the coins has this serial number
![Page 6: One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts](https://reader031.vdocument.in/reader031/viewer/2022032015/56649d345503460f94a0b0f7/html5/thumbnails/6.jpg)
Membership proof
2
One-out-of-many proof that secret committed value belongs to a list
![Page 7: One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts](https://reader031.vdocument.in/reader031/viewer/2022032015/56649d345503460f94a0b0f7/html5/thumbnails/7.jpg)
One-out-of-many proof for commitment to 0
Statement:
Claim that one of them is commitment to 0
Prover Verifier
Witness
SoundnessStatement is true, there is a commitment to 0
Zero-knowledgeRemains secret which commitment contains 0
![Page 8: One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts](https://reader031.vdocument.in/reader031/viewer/2022032015/56649d345503460f94a0b0f7/html5/thumbnails/8.jpg)
Pedersen commitments
• Setup with commitment key that specifies group of prime order and two random generators
• Commitment to using randomness computed as • Additively homomorphic
• Perfectly hiding• Computationally binding
– Assuming hard to compute discrete logarithms
𝑎 𝑏⋅ ¿ 𝑎+𝑏
![Page 9: One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts](https://reader031.vdocument.in/reader031/viewer/2022032015/56649d345503460f94a0b0f7/html5/thumbnails/9.jpg)
Sigma-protocols
• -special soundness– Compute witness from answers to different challenges
• Special honest verifier zero-knowledge– Given challenge simulate transcript
Prover Verifier
StatementWitness s.t. 𝑎𝑥←𝒁𝒑
∗
𝑧
![Page 10: One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts](https://reader031.vdocument.in/reader031/viewer/2022032015/56649d345503460f94a0b0f7/html5/thumbnails/10.jpg)
Main result: one-out-of-many proof
Sigma-protocol for one out of many commitments being a commitment to
– Perfect completeness– Computational -soundness– Perfect special honest verifier ZK
Can use Fiat-Shamir heuristic to make it non-interactive for ring signatures and zerocoin
Rounds Prover Verifier Communication
3 expo. expo. group + field
For 256-bit elliptic curve groups bytes
![Page 11: One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts](https://reader031.vdocument.in/reader031/viewer/2022032015/56649d345503460f94a0b0f7/html5/thumbnails/11.jpg)
𝛿11=1
𝛿00=1
Binary tree
• Want to show is commitment to 0• Equivalently write and • Want to show is commitment to 0
𝑐0 𝑐1 𝑐2 𝑐3
𝑁=2𝑛0
1
𝑐ℓ=com(0 ;𝑟 )
𝛿01=0
𝛿10=0
𝛿01=0𝛿11=1
Want SHVZKCannot reveal
![Page 12: One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts](https://reader031.vdocument.in/reader031/viewer/2022032015/56649d345503460f94a0b0f7/html5/thumbnails/12.jpg)
Commit to path
• Prover commits to
• Standard Sigma-protocol for knowledge of opening of commitment to – Run arguments for in parallel
𝑐0 𝑐1 𝑐2 𝑐3
𝑁=2𝑛0
1
𝑐ℓ=com(0 ;𝑟 )
![Page 13: One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts](https://reader031.vdocument.in/reader031/viewer/2022032015/56649d345503460f94a0b0f7/html5/thumbnails/13.jpg)
𝑓 𝑗=𝑥 ℓ 𝑗+𝑎 𝑗
Build polynomials of degree in challenge
• We have and • Define and and
Check
and 𝑥←𝒁𝒑
∗
ℓ 𝑗
𝑎 𝑗
𝑐ℓ 𝑗=¿
𝑓 𝑗
Polynomials
defined by Communication
![Page 14: One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts](https://reader031.vdocument.in/reader031/viewer/2022032015/56649d345503460f94a0b0f7/html5/thumbnails/14.jpg)
• Use committed path to construct polynomials
in a verifiable manner• Both prover and verifier can compute
• Prover sends before challenge If then is a commitment to 0Otherwise negligible chance of commitment to 0
![Page 15: One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts](https://reader031.vdocument.in/reader031/viewer/2022032015/56649d345503460f94a0b0f7/html5/thumbnails/15.jpg)
One-out-of-many proofs
Sigma-protocol for one out of many commitments being a commitment to
Can save computation if prover knows openings of all commitments instead of just one of them
Rounds Prover Verifier Communication
3 expo. expo. group + field
Rounds Prover Verifier Communication
3 mult. expo. group + field
![Page 16: One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts](https://reader031.vdocument.in/reader031/viewer/2022032015/56649d345503460f94a0b0f7/html5/thumbnails/16.jpg)
Membership proof
• Have commitment and want to give argument of knowledge of opening to value in the list
• Give one-out-of-many proof for statement
• Save computation since both prover and verifier know a lot about commitments
Rounds Prover Verifier Communication
3 mult. mult. group + field
![Page 17: One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts](https://reader031.vdocument.in/reader031/viewer/2022032015/56649d345503460f94a0b0f7/html5/thumbnails/17.jpg)
Fiat-Shamir heuristic
• Sigma-protocol has quasi-unique challenges– Hard to compute many different answers to a challenge – Implies non-interactive argument is simulation-extractable
in the random oracle model
StatementWitness s.t. 𝑎𝑥←Hash(𝑢 ,𝑎 ,𝑎𝑢𝑥)𝑧 𝜋=(𝑎 ,𝑧 )
Non-interactive argument
![Page 18: One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts](https://reader031.vdocument.in/reader031/viewer/2022032015/56649d345503460f94a0b0f7/html5/thumbnails/18.jpg)
Ring signatures
• Ring contains public keys of the form
• Interpret them as commitments to , i.e.,
𝑐0=h𝑟 0
𝑐1=h𝑟1
𝑐2=h𝑟 2
• Use Fiat-Shamir heuristic with challenge to prove knowledge of some
• Signature is the non-interactive argument
![Page 19: One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts](https://reader031.vdocument.in/reader031/viewer/2022032015/56649d345503460f94a0b0f7/html5/thumbnails/19.jpg)
Zerocoin
• Bulletin board with coins• Each coin commitment
to a serial number
• Spend a coin from a set anonymously by posting serial number and proving one of the coins in has this serial number– Prove that one of
is commitment to 0 using Fiat-Shamir challenge – Serial number prevents double spending– Zero-knowledge guarantees anonymity
![Page 20: One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts](https://reader031.vdocument.in/reader031/viewer/2022032015/56649d345503460f94a0b0f7/html5/thumbnails/20.jpg)
Summary
Sigma-protocol for one out of many commitments being a commitment to
– Perfect completeness– Computational -soundness– Perfect special honest verifier ZK
Membership proof Ring signature Zerocoin
Rounds Prover Verifier Communication
3 expo. expo. group + field