LinearTime ZeroKnowledge Proofs for Arithmetic Circuit Satisfiability Jens

Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability Jens Groth University College London Joint work with Jonathan Bootle, Andrea Cerulli, Essam Ghadafi and Mohammad Hajiabadi to appear at Asiacrypt 2017

Zero-knowledge proof Statement: Witness Completeness: Honest prover convinces verifier Zero-knowledge: Prover Nothing but truth revealed Soundness: Verifier Statement is true

Internet voting Encrypts vote to keep it private Vote Tally without decrypting individual votes Ciphertext Voter Election authorities 3

Election fraud !!!! Encrypts 1, 000 votes for Macron Is the encrypted vote valid? Ciphertext Voter Election authorities 4

Zero-knowledge proof as solution Zero-knowledge: Vote is secret Soundness: Vote is valid Ciphertext Zero-knowledge proof for valid vote encrypted Voter Election authorities 5

Cryptography Problems typically arise when attackers deviate from a protocol (active attack) Zero-knowledge proofs prevent deviation and give security against active attacks 6

Parameters • Efficiency – – Communication (bits) Prover’s computation (seconds/operations) Verifier’s computation (seconds/operations) Round complexity (number of messages) • Security – Setup – Cryptographic assumptions

Arithmetic circuit satisfiability • 8

Zero-knowledge proof for arithmetic circuits Arithmetic circuit and constants Satisfying assignment Public coin setup and challenges Perfect completeness: Honest prover convinces verifier Statistical special honest Prover verifier zero-knowledge: Nothing but truth revealed Computational Verifier soundness: Statement is true

Efficiency Arithmetic circuit and constants

Strategy 1. Reformulate arithmetic circuit satisfiability as set of conditions over matrices of field elements 2. Prove each of the constraints in an ideal linear commitment model 3. Compile the ideal linear commitment model to the standard model using error-correcting codes and collision-resistant hash functions 11