zero knowledge proofs and its applications in blockchain · zero knowledge proofs and its...
TRANSCRIPT
![Page 1: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/1.jpg)
Zero Knowledge Proofs and its applications in Blockchain
Shubham Sahai Srivastava
C3i Center, IIT Kanpur.Department of Computer Science and Engineering, IIT Kanpur.
Workshop on Blockchain and its Applications - 2018IIIT Allahabad, India
(August 19, 2018)
![Page 2: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/2.jpg)
Blockchain and Privacy?● Blockchain: immutability, censorship-resistance, and open and
permissionless● Bitcoin (Blockchain 1.0): pseudo-anonymity, public ledger,
patterns, de-anonymization … transactions● Ethereum (Blockchain 2.0): smart contracts, DApp … data● Fabric (Blockchain 3.0): Privacy and channels, … trust?● Do we need to continue transacting in the open to enjoy the
benefits?● Mixers, ring signatures, partially homomorphic…
![Page 3: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/3.jpg)
Zero Knowledge Proofs
The general idea of proof systems and zero
knowledge
● First proposed in 1985 by MIT researchers: Shafi Goldwasser, Silvio Micali, and Charles Rackoff
● Decades of research, but generating excitement lately!
● Potential to redefine the concept of online privacy.
![Page 4: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/4.jpg)
Let’s Begin …Bob is color blind!
![Page 5: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/5.jpg)
Let’s Begin …Color 1
![Page 6: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/6.jpg)
Let’s Begin …Color 2
![Page 7: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/7.jpg)
Let’s Begin …
1 2( )
nIf Alice is cheating, then probability of fooling Bob :
For n = 15 :
0.0000305
![Page 8: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/8.jpg)
In the end …Alice Convinces Bob, that with very high probability : “She has different coloured hats.”
However, Bob has no idea : “What are the colors of the hats?”
![Page 9: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/9.jpg)
● A method by which one party: “Prover”, can convince another party: “Verifier”; about the “truthfulness” of a statement.
● The protocol conveys nothing apart from the veracity of the statement. (Zero Knowledge)
● A zero knowledge proof must satisfy :● Completeness : Honest Prover can convince an honest Verifier.● Soundness : Cheating Prover can convince an honest Verifier
with negligible probability.● Zero Knowledge : Verifier learns nothing apart from
the veracity of the statement.
Zero Knowledge Proofs
![Page 10: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/10.jpg)
Graph 3-Coloring (G3C)No adjacent nodes have the same color.
The problem isNP-Complete
![Page 11: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/11.jpg)
G3C : Problem …
Given a Graph G with n vertices and m edges
I know the colouringG is 3-colorable!
Really? Prove it?
![Page 12: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/12.jpg)
G3C : Protocol …
Bob: Chooses an edge (e) randomly from the graph
Request keys for the 2 boxes corresponding to e
Alice: Choose random assignment of 3 colors and color the graph, locks them in a box and sends to Bob
Bob: If the colors in the boxes are different, colouring of the edge is correct.
![Page 13: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/13.jpg)
G3C : Protocol …
Bob: Chooses an edge (e) randomly from the graph
Alice: Choose random assignment of 3 colors and color the graph
If these two colors are different: “The edge chosen was correctly coloured”
Repeat the same experiment again!
![Page 14: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/14.jpg)
G3C: Repeat! How many times ?
m-1 m( )
m2If Alice is cheating, then probability of fooling Bob :
For m = 7 :
0.000524
![Page 15: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/15.jpg)
G3C: Is it a Zero Knowledge Proof?
It can be shown that the protocol satisfies:
● Completeness: Honest Prover can convince an honest Verifier.
● Soundness: Cheating Prover can convince an honest Verifier with negligible probability.
● Zero Knowledge: Verifier learns nothing apart from the veracity of the statement.
![Page 16: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/16.jpg)
Application of ZKP in Blockchains?
● The proofs seen so far are interactive● Not suitable for blockchain applications. Why?● Desirable properties from a ZKP variant to be usable in
blockchain:● Non-interactiveness● Small in size● Fast verification
![Page 17: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/17.jpg)
zk-SNARK“it’s really mind boggling”
- Sergey Brin (Blockchain Summit-2018)
Zero Knowledge
● Succinct● Non-interactive● ARguments of● Knowledge
“
![Page 18: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/18.jpg)
Non Interactive Zero Knowledge Proofs
● No interaction required between the Prover and the Verifier● Impossible in standard cryptographic model
[Goldreich and Oren; 1993]● Possible in common reference string and random oracle
model.● Common reference string can yield computational zero
knowledge.
![Page 19: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/19.jpg)
zk-SNARKs
● No interaction with Prover required● A proof once generated can be verified by anyone● To establish this, we need to establish some shared
“reference string”● This is done during Setup Phase…generates toxic waste● For every function (circuit) we need to run the Setup
Phase
![Page 20: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/20.jpg)
What can we do with it?
x3 + x + 5 == 35I know a ‘x’, such that :
Really? Why don’t you
prove it?
![Page 21: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/21.jpg)
Lets work out this example…
def qeval(x): y = x**3 return x + y + 5
Function: sym1 = x * x y = sym1 * x sym2 = y + x ~out = sym2 + 5
Flattened Code:
x3 + x + 5 == 35
![Page 22: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/22.jpg)
Arithmetic Circuit from code…
sym1 = x * x y = sym1 * x sym2 = y + x ~out = sym2 + 5
Flattened Code:
x
x x
x
x
+
xsym1
sym2
y
+
5
out
![Page 23: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/23.jpg)
Constraints on variables …
x
x x
x
xsym1
+
+
x
sym2
y5
out Every gate in the circuit, imposes a constraint on its inputs and outputs.
+
x
sym2
y
x + y = sym2
x
xsym1
y
x * sym1 = y
![Page 24: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/24.jpg)
Rank 1 Constraint System (R1CS)
● Sequence of 3 vectors (a,b,c) and a solution vector s, which satisfy: s.a * s.b - s.c = 0
● Represent constraint corresponding to each gate as a R1CS● The vectors will be:
● a : Left input to the gate● b : Right input to the gate● c : Output of the gate● s : Solution vector
![Page 25: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/25.jpg)
R1CS
x
x x
x
x
+
xsym1
sym2
y
+
5
outFix a variable ordering amongst all the variables of the circuit
[ ONE, x, OUT, sym1, y, sym2 ]
RECALL: Every gate corresponds to a constraint
![Page 26: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/26.jpg)
R1CS …
x
xsym1
y
[ ONE, x, OUT, sym1, y, sym2 ]
0 0 0 1 0 0
a =
0 1 0 0 0 0
b =
0 0 0 0 1 0
c =
0 3 0 5 15 0
s =
Easy to see s.a * s.b - s.c = 0 holds
Represent all the gates as R1CS
![Page 27: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/27.jpg)
R1CS
● Goal is to come up with s, that satisfies all the R1CS simultaneously.
● To verify: Solve each R1CS equation corresponding to a solution vector.
● Can we do better?
![Page 28: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/28.jpg)
Quadratic Arithmetic Programs (QAPs)
A(x) = Σ si Ai(x)
B(x) = Σ si Bi(x)
C(x) = Σ si Ci(x)
Should be 0 for all x corresponding to circuit gates.
![Page 29: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/29.jpg)
QAP …A(x) * B(x) - C(x) = 0, ∀ x ∈ [1, |Gates| ]
A(x) * B(x) - C(x) is divisible by π(x-i)i=1
|Gates|
Target Polynomial (T(x))
![Page 30: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/30.jpg)
QAP …
A(x) * B(x) - C(x) = H(x) * T(x)A(x) = Σ si Ai(x)B(x) = Σ si Bi(x)C(x) = Σ si Ci(x)
If we know the solution vector (s), then: • We know: si, ∀i ∈ [1, |Vars| ] • For a given e, can compute : A(e), B(e), C(e) • T(x) is public, so we can compute H(e)
![Page 31: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/31.jpg)
Proof● The evaluation point e is chosen randomly by the Verifier and sent to the Prover.
● A(e), B(e), C(e), H(e) is the desired proof.● The point e is send in an “hidden” form.● Polynomials have to be evaluated “blindly”.● Elliptic Curve pairings are used as a underlying “hiding
scheme”.
![Page 32: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/32.jpg)
Applications in Blockchain
● Zcash● Ethereum● Hyperledger Fabric
![Page 33: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/33.jpg)
Zcash
● Privacy preserving crypto currency based on zk-SNARKs● A transaction contains: sender(input txns), amount,
reciever(output txn)● Publish proof that a private transaction follows the rules of the
Zcash network, concealing the sender, recipient, and amount(shielded transactions)
● Downside? Trusted Setup (Zcash Trusted Setup Ceremony)
![Page 34: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/34.jpg)
Zcash: Destroying toxic waste…
Pic Credit : Peter Todd
The burnt remains of one machine involved in Zcash’s trusted setup
![Page 35: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/35.jpg)
Ethereum
● Data Privacy?● All details about a smart contract are public on the
Ethereum blockchain● fund senders and recipients, all transaction data, all
code executed …● Privacy by secure commitments
![Page 36: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/36.jpg)
Ethereum (Metropolis)
● Ability to verify zk-SNARKs efficiently on-chain.● Users can store secret off-chain ● Each of these use cases require their own trusted
setup● Contract data has 1-to-1 correspondence with the
user● Can’t achieve autonomous privacy
![Page 37: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/37.jpg)
Hyperledger Fabric (ZKAT)● Integrate ZKP into a wider range of applications targeting asset
management● Use of ZKP for privacy-preserving asset management with audit
support● ZKAT is built on top of anonymous authentication mechanisms
offered by Identity Mixer.● Asset Management: issue asset, request transfer of their assets in
zero knowledge● Support Audibility: By assigning auditors to organizations, giving
them unrestricted access.
![Page 38: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/38.jpg)
ZKAT Pic Credit : IBM Developer Works
![Page 39: Zero Knowledge Proofs and its applications in Blockchain · Zero Knowledge Proofs and its applications in Blockchain Shubham Sahai Srivastava C3i Center, IIT Kanpur. Department of](https://reader033.vdocument.in/reader033/viewer/2022052923/5f03ce987e708231d40addf8/html5/thumbnails/39.jpg)
Thank You!