zero-knowledge argument for polynomial evaluation with applications to blacklists
DESCRIPTION
Zero-Knowledge Argument for Polynomial Evaluation with Applications to Blacklists. Stephanie Bayer Jens Groth University College London. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A A A A A A A A. P olynomial. - PowerPoint PPT PresentationTRANSCRIPT
Zero-Knowledge Argument for Polynomial Evaluation with Applications to Blacklists
Stephanie Bayer
Jens Groth
University College London
Polynomial
𝑣
𝑢
(𝑢 ,𝑣 )
Zero-knowledge argument for correct polynomial evaluation
Statement:
such that
Prover Verifier
Witness
SoundnessStatement is true
Zero-knowledgeNothing else revealed remains secret
𝑣𝑢
Membership and non-membership proofs
• List and• Define
• If then – Prove where committed trivially
• If then – Prove where and prove
𝑢
𝑢0
𝑢𝑣
Zero-knowledge argument for correct polynomial evaluation
Statement:
such that
Prover Verifier
Witness Special honest-verifier zero-knowledgeGiven any challenge possible to simulate the argument
𝑣𝑢
3-move argument
Public coinVerifier picks challenge
Argument of knowledgeCan extract such that
Easy to convert to full zero-knowledge
Commitment properties
• Additively homomorphic
• SHVZK argument for multiplicative relationship
• Examples– Pedersen commitments – ElGamal-style commitments
𝑎 𝑏⋅ ¿ 𝑎+𝑏
𝑎 𝑏 𝑎𝑏
Simple SHVZK argument for correct polynomial evaluation
Horner’s rule gives us
Commit to the intermediate values and prove correct
𝑣
𝑢
𝑎𝐷− 1+𝑢𝑎𝐷
𝑢(𝑎𝐷−1+𝑢𝑎𝐷))
𝑎1+𝑢…
𝜋mult𝜋mult
Efficiency – using Pedersen commitments
Degree D polynomial Rounds Prover Verifier Comm.
Chaum and Ped. 1992 3 expo. expo. group
Brands et al. 2007 3 . expo. group
Degree D polynomial Rounds Prover Verifier Comm.
This work 3 expo. mul.
expo. mult.
group field
Rewriting the polynomial
Prover wants to demonstrate
Without loss of generality
Write in binary to get
Commit to powers of
𝑢 𝑢2 𝑢4 𝑢2𝑑
𝜋mult 𝜋mult 𝜋mult
…
…
commitments and arguments
Zero-knowledge argument of knowledge of power of
Statement:
Accept if opens to
Witness 𝑢2
𝑗
𝑓 𝑗
𝑓 𝑗←𝒁 𝑝 𝑥←𝒁𝑝𝑥
𝑓 𝑗=𝑥𝑢2𝑗
+ 𝑓 𝑗
𝑢2𝑗 𝑓 𝑗
𝑥⋅
KnowledgeAnswers to 2 challenges
would reveal
Zero-knowledge is uniformly random regardless of
Masked powers of
𝑢 𝑢2 𝑢4 𝑢2𝑑
…
𝑓 0=𝑥𝑢20
+ 𝑓 0
𝑓 1=𝑥𝑢21
+ 𝑓 1
𝑓 2=𝑥𝑢22+ 𝑓 2
𝑓 𝑑=𝑥𝑢2𝑑
+ 𝑓 𝑑
A helpful polynomial
𝛿𝑑 𝛿1 𝛿0…𝑣
CompletenessIf prover okSoundnessIf prover fails
commitments
SHVZK argument for point on polynomial
∑𝑖𝑑 ,… ,𝑖0=0
1
𝑎𝑖𝑑… 𝑖0∏𝑗=0
𝑑
𝑓 𝑗𝑖 𝑗 𝑥1− 𝑖 𝑗Accept if is inside
𝑥←𝒁𝑝
𝑓 𝑗=𝑥𝑢2𝑗
+ 𝑓 𝑗
Statement: such that 𝑣𝑢
𝛿𝑑 𝛿1 𝛿0…
𝑣 𝛿𝑑 𝛿1 𝛿0…𝑥𝑑+1
⋅𝑥𝑑
⋅𝑥⋅⋅
Soundness
SHVZK argument for polynomial evaluation
• 3-move public coin argument• Simple setup with commitment key • Perfect completeness• Comp. soundness based on discrete log. problem• Perfect special honest verifier zero-knowledge
Statement: such that 𝑣𝑢
Efficiency – using Pedersen commitments
Degree D polynomial Rounds Prover Verifier Comm.
This work 3 expo. mul.
expo. mult.
group field
Degree D Rounds Prover Verifier Comm.
10 3 13 ms 17 ms 8 KB
100 3 24 ms 30 ms 15 KB
1000 3 41 ms 45 ms 21 KB
10000 3 182 ms 81 ms 29 KB
100000 3 1,420 ms 217 ms 35 KB
1000000 3 15,512 ms 1,315 ms 41 KB
256-bit subgroup modulo 1536-bit prime on MacBook, 2.54 GHz