1 / 28

Efficient Zero-Knowledge Proof Systems

Efficient Zero-Knowledge Proof Systems. Jens Groth University College London. Privacy and verifiability. No! It is a trade secret. Did I lose all my money? Show me the current portfolio!. Hedge fund Investor. Zero-knowledge proof. Statement.

Download Presentation

Efficient Zero-Knowledge Proof Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Efficient Zero-Knowledge Proof Systems Jens Groth University College London

  2. Privacy and verifiability No! It is a trade secret. Did I lose all my money?Show me the current portfolio! Hedge fund Investor

  3. Zero-knowledge proof Statement Zero-knowledge:Nothing but truth revealed Soundness:Statement is true Witness Prover Verifier 

  4. Internet voting Tally without decrypting individual votes Vote Encrypts vote to keep it private Ciphertext Voter Election authorities

  5. Election fraud Not Bob Encrypts -100 votes for Bob Is the encrypted vote valid? Ciphertext Voter Election authorities

  6. Zero-knowledge proof as solution Zero-knowledge:Vote is secret Soundness:Vote is valid Ciphertext Zero-knowledge proof for valid vote encrypted Voter Election authorities

  7. Mix-net: Anonymous message broadcast Threshold decryption mπ(1) mπ(2) mπ(N) π = π1◦π2 π2 m1 m2 mN π1 …

  8. Problem: Corrupt mix-server Threshold decryption mπ(1) mπ(2) m´π(N) π = π1◦π2 π2 m1 m2 mN π1 …

  9. Solution: Zero-knowledge proof Threshold decryption mπ(1) mπ(2) mπ(N) π = π1◦π2 Server 2 ZK proofPermutation still secret(zero-knowledge) π2 Server 1 ZK proofNo message changed(soundness) m1 m2 mN π1 …

  10. Preventing deviation (active attacks) by keeping people honest Yes, here is a zero-knowledge proof that everything is correct Did you follow the protocol honestly without deviation? Alice Bob

  11. Cryptography Problems typically arise when attackers deviate from aprotocol (active attack) Zero-knowledge proofs prevent deviation and give security against active attacks

  12. Fundamental building block Доверяй, но проверяй - Trust but verify zero-knowledge signatures encryption

  13. Zero-knowledge proofs • Completeness • Prover can convince verifier when statement is true • Soundness • Cannot convince verifier when statement is false • Zero-knowledge • No leakage of information (except truth of statement) even if interacting with a cheating verifier

  14. Parameters • Efficiency • Communication (bits) • Prover’s computation (seconds) • Verifier’s computation (seconds) • Round complexity (number of messages) • Security • Setup • Cryptographic assumptions

  15. Round complexity • Interactive zero-knowledge proof • Non-interactive zero-knowledge proof 

  16. Zero-knowledge proof efficiency cost non-interactive zero-knowledge proofs interactive zero-knowledge proofs rest of the protocol 1985 2014

  17. Vision • Main goal • Efficient and versatile zero-knowledge proofs • Vision • Negligible overhead from using zero-knowledge proofs • Security against active attacks standard feature zero-knowledge core core

  18. Statements SAT 0 • Statements are for a given NP-language • Prover knows witness such that • But prover wants to keep the witness secret! 1 1 Encrypted valid vote 0 Circuit SAT Hamiltonian

  19. Proof system • A proof system for an NP-relation consists of a prover and a verifier • We consider efficient proof systems: prover and verifier are probabilistic polynomial time interactive algorithms • Both prover and verifier get a statement as input • The prover gets a witness such that • They interact and finally the verifier accepts or rejects

  20. Graph isomorphism

  21. Exercise • Argue the GI proof system is complete • What is the probability of the prover cheating the verifier? (soundness) • Argue the GI proof system is witness indistinguishable, i.e., when there are several isomorphisms between the two graphs it is not possible to know which one the prover has in mind

  22. Witness wso (x,w)R Completeness Statement xL Accept or reject Perfect completeness: Pr[Accept] = 1

  23. Soundness Statement xL Accept or reject Computational soundness: For ppt adversary Pr[Reject] ≈ 1 Statistical soundness: For any adversary Pr[Reject] ≈ 1 Perfect soundness: Pr[Reject] = 1

  24. Arguments and proofs Arguments can be more efficient than proofs • Argument (or computationally sound proof) • Computational soundness, holds against polynomial time adversary, relies on cryptographic assumptions • Proof • Unconditional soundness, holds against unbounded adversary, and in particular without relying on cryptographic assumptions

  25. Witness indistinguishability 0/1 0/1 WI: Can be computational, statistical or perfect

  26. Zero-knowledge • Zero-knowledge: • The proof only reveals the statement is true, it does not reveal anything else • Defined by simulation: • The adversary could have simulated the proof without knowing the prover’s witness

  27. Zero-knowledge view Simulator’s advantage: Can rewind adversary view ZK: Can be computational, statistical or perfect

  28. Exercises • Show the GI proof is perfect zero-knowledge • Argue why zero-knowledge implies witness indistinguishability • Give an example of a language and a proof system that is witness indistinguishable but not zero-knowledge (under reasonable assumptions)

More Related