Efficient zero knowledge proof systems
This presentation is the property of its rightful owner.
Sponsored Links
1 / 28

Efficient Zero-Knowledge Proof Systems PowerPoint PPT Presentation


  • 51 Views
  • Uploaded on
  • Presentation posted in: General

Efficient Zero-Knowledge Proof Systems. Jens Groth University College London. Privacy and verifiability. No! It is a trade secret. Did I lose all my money? Show me the current portfolio!. Hedge fundInvestor. Zero-knowledge proof. Statement.

Download Presentation

Efficient Zero-Knowledge Proof Systems

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Efficient zero knowledge proof systems

Efficient Zero-Knowledge Proof Systems

Jens Groth

University College London


Efficient zero knowledge proof systems

Privacy and verifiability

No! It is a trade secret.

Did I lose all my money?Show me the current portfolio!

Hedge fundInvestor


Zero knowledge proof

Zero-knowledge proof

Statement

Zero-knowledge:Nothing but truth revealed

Soundness:Statement is true

Witness

ProverVerifier


Internet voting

Internet voting

Tally without decrypting individual votes

Vote

Encrypts vote to keep it private

Ciphertext

VoterElection authorities


Election fraud

Election fraud

Not Bob

Encrypts -100 votes for Bob

Is the encrypted vote valid?

Ciphertext

VoterElection authorities


Zero knowledge proof as solution

Zero-knowledge proof as solution

Zero-knowledge:Vote is secret

Soundness:Vote is valid

Ciphertext

Zero-knowledge proof for valid vote encrypted

VoterElection authorities


Mix net anonymous message broadcast

Mix-net: Anonymous message broadcast

Threshold decryption

mπ(1)

mπ(2)

mπ(N)

π = π1◦π2

π2

m1

m2

mN

π1


Efficient zero knowledge proof systems

Problem: Corrupt mix-server

Threshold decryption

mπ(1)

mπ(2)

m´π(N)

π = π1◦π2

π2

m1

m2

mN

π1


Solution zero knowledge proof

Solution: Zero-knowledge proof

Threshold decryption

mπ(1)

mπ(2)

mπ(N)

π = π1◦π2

Server 2 ZK proofPermutation still secret(zero-knowledge)

π2

Server 1 ZK proofNo message changed(soundness)

m1

m2

mN

π1


Efficient zero knowledge proof systems

Preventing deviation (active attacks) by keeping people honest

Yes, here is a zero-knowledge proof that everything is correct

Did you follow the protocol honestly without deviation?

AliceBob


Cryptography

Cryptography

Problems typically arise when attackers deviate from aprotocol (active attack)

Zero-knowledge proofs prevent deviation and give security against active attacks


Fundamental building block

Fundamental building block

Доверяй, но проверяй

- Trust but verify

zero-knowledge

signatures

encryption


Zero knowledge proofs

Zero-knowledge proofs

  • Completeness

    • Prover can convince verifier when statement is true

  • Soundness

    • Cannot convince verifier when statement is false

  • Zero-knowledge

    • No leakage of information (except truth of statement) even if interacting with a cheating verifier


Parameters

Parameters

  • Efficiency

    • Communication (bits)

    • Prover’s computation (seconds)

    • Verifier’s computation (seconds)

    • Round complexity (number of messages)

  • Security

    • Setup

    • Cryptographic assumptions


Round complexity

Round complexity

  • Interactive zero-knowledge proof

  • Non-interactive zero-knowledge proof


Zero knowledge proof efficiency

Zero-knowledge proof efficiency

cost

non-interactive zero-knowledge proofs

interactive zero-knowledge proofs

rest of the protocol

19852014


Vision

Vision

  • Main goal

    • Efficient and versatile zero-knowledge proofs

  • Vision

    • Negligible overhead from using zero-knowledge proofs

    • Security against active attacks standard feature

zero-knowledge

core

core


Statements

Statements

SAT

0

  • Statements are for a given NP-language

  • Prover knows witness such that

    • But prover wants to keep the witness secret!

1

1

Encrypted valid vote

0

Circuit SAT

Hamiltonian


Proof system

Proof system

  • A proof system for an NP-relation consists of a prover and a verifier

    • We consider efficient proof systems: prover and verifier are probabilistic polynomial time interactive algorithms

    • Both prover and verifier get a statement as input

    • The prover gets a witness such that

    • They interact and finally the verifier accepts or rejects


Graph isomorphism

Graph isomorphism


Exercise

Exercise

  • Argue the GI proof system is complete

  • What is the probability of the prover cheating the verifier? (soundness)

  • Argue the GI proof system is witness indistinguishable, i.e., when there are several isomorphisms between the two graphs it is not possible to know which one the prover has in mind


Completeness

Witness wso (x,w)R

Completeness

Statement xL

Accept or reject

Perfect completeness: Pr[Accept] = 1


Soundness

Soundness

Statement xL

Accept or reject

Computational soundness: For ppt adversary Pr[Reject] ≈ 1

Statistical soundness: For any adversary Pr[Reject] ≈ 1

Perfect soundness: Pr[Reject] = 1


Arguments and proofs

Arguments and proofs

Arguments can be more efficient than proofs

  • Argument (or computationally sound proof)

    • Computational soundness, holds against polynomial time adversary, relies on cryptographic assumptions

  • Proof

    • Unconditional soundness, holds against unbounded adversary, and in particular without relying on cryptographic assumptions


Witness indistinguishability

Witness indistinguishability

0/1

0/1

WI:

Can be computational, statistical or perfect


Zero knowledge

Zero-knowledge

  • Zero-knowledge:

    • The proof only reveals the statement is true, it does not reveal anything else

  • Defined by simulation:

    • The adversary could have simulated the proof without knowing the prover’s witness


Zero knowledge1

Zero-knowledge

view

Simulator’s advantage: Can rewind adversary

view

ZK:

Can be computational, statistical or perfect


Exercises

Exercises

  • Show the GI proof is perfect zero-knowledge

  • Argue why zero-knowledge implies witness indistinguishability

  • Give an example of a language and a proof system that is witness indistinguishable but not zero-knowledge (under reasonable assumptions)


  • Login