1 / 21

Linear Algebra with Sub-linear Zero-Knowledge Arguments

Linear Algebra with Sub-linear Zero-Knowledge Arguments. Jens Groth University College London. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A A A A A A A A. Motivation. Why does Victor want to know my password, bank statement, etc.?.

belle-parker
Download Presentation

Linear Algebra with Sub-linear Zero-Knowledge Arguments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Linear Algebra with Sub-linear Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

  2. Motivation Why does Victor want to know my password, bank statement, etc.? Did Peggy honestly follow the protocol? No! Show me all your inputs! Peggy Victor

  3. Zero-knowledge argument Statement Zero-knowledge:Nothing but truth revealed Witness Soundness:Statement is true Prover Verifier 

  4. Statements • Mathematical theorem: 2+2=4 • Identification: I am me! • Verification: I followed the protocol correctly. • Anything: X belongs to NP-language L

  5. Our contribution • Perfect completeness • Perfect (honest verifier) zero-knowledge • Computational soundness • Discrete logarithm problem • Efficient

  6. Which NP-language L? Circuit Satisfiability! Anonymous Proxy Group Voting! George theGeneralist Sarah theSpecialist

  7. Linear algebra Great, it is NP-complete If I store votes as vectors and add them... George theGeneralist Sarah theSpecialist

  8. Statements

  9. Levels of statements Circuit satisfiability Known

  10. Reduction 1 Circuit satisfiability See paper

  11. Reduction 2 Example:

  12. Reduction 3 commit Peggy Victor

  13. Pedersen commitment • Computationally binding • Discrete logarithm hard • Perfectly hiding • Only 1 group element to commit to n elements • Only n group elements to commit to n rows of matrix Computational soundness Perfect zero-knowledge Sub-linear size

  14. Pedersen commitment • Homomorphic • So

  15. Example of reduction 3 commit

  16. Reduction 4 commit

  17. Product

  18. Example of reduction 4 Soundness: For the sm parts to match for random s it must be that • Statement: Commitments to • Peggy → Victor: Commits to diagonal sums • Peggy ← Victor: Challenge • New statement:

  19. Reducing prover’s computation • Computing diagonal sums requires ω(mn) multiplications • With 2log m rounds prover only uses O(mn) multiplications

  20. Basic step Known

  21. Conclusion

More Related