LinearTime ZeroKnowledge Proofs for Arithmetic Circuit Satisfiability Jens
Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability Jens Groth University College London Joint work with Jonathan Bootle, Andrea Cerulli, Essam Ghadafi and Mohammad Hajiabadi to appear at Asiacrypt 2017
Zero-knowledge proof Statement: Witness Completeness: Honest prover convinces verifier Zero-knowledge: Prover Nothing but truth revealed Soundness: Verifier Statement is true
Internet voting Encrypts vote to keep it private Vote Tally without decrypting individual votes Ciphertext Voter Election authorities 3
Election fraud !!!! Encrypts 1, 000 votes for Macron Is the encrypted vote valid? Ciphertext Voter Election authorities 4
Zero-knowledge proof as solution Zero-knowledge: Vote is secret Soundness: Vote is valid Ciphertext Zero-knowledge proof for valid vote encrypted Voter Election authorities 5
Cryptography Problems typically arise when attackers deviate from a protocol (active attack) Zero-knowledge proofs prevent deviation and give security against active attacks 6
Parameters • Efficiency – – Communication (bits) Prover’s computation (seconds/operations) Verifier’s computation (seconds/operations) Round complexity (number of messages) • Security – Setup – Cryptographic assumptions
Arithmetic circuit satisfiability • 8
Zero-knowledge proof for arithmetic circuits Arithmetic circuit and constants Satisfying assignment Public coin setup and challenges Perfect completeness: Honest prover convinces verifier Statistical special honest Prover verifier zero-knowledge: Nothing but truth revealed Computational Verifier soundness: Statement is true
Efficiency Arithmetic circuit and constants
Strategy 1. Reformulate arithmetic circuit satisfiability as set of conditions over matrices of field elements 2. Prove each of the constraints in an ideal linear commitment model 3. Compile the ideal linear commitment model to the standard model using error-correcting codes and collision-resistant hash functions 11
Organize gate inputs and outputs as matrices • 12
Arithmetic circuit specification • 13
Wiring of the circuit • 14
Witness satisfying circuit • 15
Ideal linear commitment model
Arithmetic circuit satisfiability in the ideal linear commitment model 17
Addition proof in ideal linear commitment model 18
Linear error-correcting code • Example: Druk-Ishai 2014 19
From ideal to real linear commitments 20
From ideal to real linear commitments 21
From ideal to real linear commitments 22
Linear commitments with zero-knowledge Randomized encoding Exposure resilient Commitments can be constructed from 23 hash functions
Efficiency and security Arguments Proofs • • 24
- Slides: 24