Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

Successfully reported this slideshow.

Like this presentation? Why not share!

- The AI Rush by Jean-Baptiste Dumont 1706621 views
- AI and Machine Learning Demystified... by Carol Smith 3850846 views
- 10 facts about jobs in the future by Pew Research Cent... 820831 views
- Harry Surden - Artificial Intellige... by Harry Surden 745519 views
- Inside Google's Numbers in 2017 by Rand Fishkin 1334934 views
- Pinot: Realtime Distributed OLAP da... by Kishore Gopalakri... 602880 views

379 views

Published on

Basic introduction to ZK-Snarks and Zero Knowledge Proofs

Published in:
Engineering

No Downloads

Total views

379

On SlideShare

0

From Embeds

0

Number of Embeds

6

Shares

0

Downloads

35

Comments

0

Likes

2

No embeds

No notes for slide

- 1. ZK-Snarks in English Ronak Kogta
- 2. In this talk, We’ll learn 1.What are Zero Knowledge Proofs ? 2.What are Zk-Snarks ? 3. How to construct Zk- Snarks ?
- 3. Problem Statement Alice belongs to an organisation A Bob belongs to an organisation B
- 4. Problem Statement Alice belongs to an organisation A Bob belongs to an organisation B They both want to do a transaction, and want the valid result for their inputs
- 5. Problem Statement Alice belongs to an organisation A Bob belongs to an organisation B They both want to do a transaction, and want the valid result for their inputs Since inputs are important for both organisation A and B, they do now want to reveal that information
- 6. Problem Statement Alice belongs to an organisation A Bob belongs to an organisation B They both want to do a transaction, and want the valid result for their inputs Since inputs are important for both organisation A and B, they do now want to reveal that information Do not trust each other
- 7. Problem Statement Sends y Holds x Sends f(x,y) Holds y
- 8. Problem Statement Here Bob compromises, and reveals his y Sends y Holds x Sends f(x,y) Holds y
- 9. Problem Statement Here Bob compromises, and reveals his y Sends y Holds x Sends f(x,y) Holds y Alice may change her x, and give wrong f(x,y)
- 10. Problem Statement Here Bob compromises, and reveals his y Sends y Holds x Sends f(x,y) Holds y Alice may change her x, and give wrong f(x,y) Or Bob gives y in such a way that info about x is revealed
- 11. Problem Statement Here Bob compromises, and reveals his y Sends y Holds x Sends f(x,y) Holds y Alice may change her x, and give wrong f(x,y) Or Bob gives y in such a way that info about x is revealed Both Alice and Bob can cheat, and the transaction will have no fairness guarantee
- 12. Fairness by 3rd Party Sends y Holds x Sends f(x,y) Holds y Third Party Auditor
- 13. Fairness by 3rd Party Sends y Holds x Sends f(x,y) Holds y Third Party Auditor
- 14. Fairness by 3rd Party Sends y Holds x Sends f(x,y) Holds y Third Party Auditor
- 15. Fairness by 3rd Party Sends y Holds x Sends f(x,y) Holds y Third Party Auditor
- 16. Fairness by 3rd Party Sends y Holds x Sends f(x,y) Holds y Third Party Auditor Evaluation of x, y and f(x,y) was correct. OK! Error in evaluation. Not OK!
- 17. Fairness by 3rd Party Sends y Holds x Sends f(x,y) Holds y Third Party Auditor Evaluation of x, y and f(x,y) was correct. OK! Error in evaluation. Not OK! This approach delegates trust to the third party, and our security totally depends on premise that auditor is not malicious or he is not hacked
- 18. Computational Integrity and Privacy (CIP) • Integrity of computation (CI): Bob wants to establish that an asserted NP statement by Alice is valid and True. • Conﬁdentiality of input (P): If NP statement is true, the prover (Alice) can convince veriﬁer (Bob) without leaking any information about her input. • Proofs of Knowledge: Bob wants a guarantee that agreed upon ‘secret input’ exists and Alice knows that ‘secret input ’ • Eﬃciency: Bob should be able to verify proof in bounded polynomial time.
- 19. Proof Systems A proof system S for language L is a pair S=(V,P) where V is veriﬁer and P is prover VeriﬁerProver
- 20. Proof Systems A proof system S for language L is a pair S=(V,P) where V is veriﬁer and P is prover VeriﬁerProver Prover should not be able to convince veriﬁer a false statement with negligible probability Soundness
- 21. Proof Systems A proof system S for language L is a pair S=(V,P) where V is veriﬁer and P is prover VeriﬁerProver Prover should not be able to convince veriﬁer a false statement with negligible probability Soundness Prover should be able to convince veriﬁer true statement with absolute certainty Completeness
- 22. Proof Systems A proof system S for language L is a pair S=(V,P) where V is veriﬁer and P is prover VeriﬁerProver Prover should not be able to convince veriﬁer a false statement with negligible probability Soundness Veriﬁer should be able to verify the validity of arguments in polynomial time Efficiency Prover should be able to convince veriﬁer true statement with absolute certainty Completeness
- 23. Proof Systems • Language “L” is NP-Complete. • “Karp’s Reduction”: A problem in NP-Complete can be converted to another problem in NP-Complete in polynomial time w.r.t to length of input. • So, if you can construct a proof for one problem, all other problems could be solved by converting to the prior problem. • Another advantage of such language is that they can be veriﬁed in bounded time, but cannot be solved easily.
- 24. Proof Systems
- 25. Proof Systems In short, proof systems mathematically validate the authenticity of a computation. Zero knowledge proofs are a subset of proof system, with an additional constraint of “hiding” or “zero knowledge”.
- 26. Proof Systems In short, proof systems mathematically validate the authenticity of a computation. Zero knowledge proofs are a subset of proof system, with an additional constraint of “hiding” or “zero knowledge”. Sends E(y) Holds x Sends E(f(x,y)) Holds y
- 27. Proof Systems In short, proof systems mathematically validate the authenticity of a computation. Zero knowledge proofs are a subset of proof system, with an additional constraint of “hiding” or “zero knowledge”. Sends E(y) Holds x Sends E(f(x,y)) Holds y Here key element is that we have used E(..), a hiding scheme which does not reveal y to Alice and x is not revealed to Bob
- 28. Proof Systems In short, proof systems mathematically validate the authenticity of a computation. Zero knowledge proofs are a subset of proof system, with an additional constraint of “hiding” or “zero knowledge”. Sends E(y) Holds x Sends E(f(x,y)) Holds y Here key element is that we have used E(..), a hiding scheme which does not reveal y to Alice and x is not revealed to Bob Both Alice and Bob Learns nothing
- 29. Prover Sends E(y) Holds x Sends E(f(x,y)) Holds y Veriﬁer Round 1
- 30. Prover Sends E(y) Holds x Sends E(f(x,y)) Holds y Veriﬁer Round 1 Prover Sends E(y’) Holds x Sends E(f(x,y’)) Holds y’ Veriﬁer Round 2
- 31. Prover Sends E(y) Holds x Sends E(f(x,y)) Holds y Veriﬁer Round 1 Prover Sends E(y’) Holds x Sends E(f(x,y’)) Holds y’ Veriﬁer Round 2 Prover Sends E(y’’) Holds x Sends E(f(x,y’’)) Holds y’’ Veriﬁer . . . Round k
- 32. Interactive ZK (Izk) • In previous construction, veriﬁer and prover interactively solve puzzles while guarding their knowledge, and verifying the computation. • After k times, veriﬁer will probabilistically be able to assert that prover has a very less probability to cheat, as he provided with diﬀerent inputs, and prover has to provide right solution every time. (Soundness and Completeness) • That will only happen if prover knows right input and did right computation.
- 33. Non-interactive ZK (NIZK) • Interactive ZK involves active participation of two parties, and in practice, it is slow and hard to achieve. • NIZK proofs are preprocessed ZKP, which needs to be published at untampered memory. Blockchain could be such memory. • Interesting properties of NIZK proofs Publishes a proof π Generates VK and PK keys, so proof π can be mathematically reproduced by PK and veriﬁed by VK Needs a trusted setup to generate a CRS, which can be seen by both prover and veriﬁer.
- 34. CRS Model • Initial parameters are randomly chosen using a good pseudorandom generator. • It requires a trusted setup. • These parameters are used to generate a “Common Reference String”, which can be seen by both Alice and Bob, or more formally Prover and Veriﬁer. • The initial parameters used to generate CRS needs to be securely destroyed, otherwise CRS could be spoofed.
- 35. Till now • We saw the problem between Alice and Bob and explored some solutions along with third party • Saw the construction of interactive zero knowledge proofs and non-interactive zero knowledge proofs
- 36. What is ZK-SNARK ?
- 37. ZK-SNARKs • One of the recent development in NIZK proofs. Stands for Succinct non-interactive arguments of knowledge. • We need Proof length to be short (that’s why succinct) Veriﬁable in short amount of time (that’s why NI) And of course, we need to show that we know an input which yields a certain computation (that’s why ARKs)
- 38. ZK-SNARKs • Construction of ZK-SNARKs involves construction of two important pieces Cryptographic proof system for verifying satisﬁability of arithmetic circuits Circuit generator to translate program executions to such circuits
- 39. Cryptographic Proof system for ZK-SNARKs • ZK-SNARKs exist for all problems in NP. For above construction we use Circuit-SAT satisﬁability problem • It is NP-Complete problem, and a variant of Boolean Satisﬁability problem. Eﬃcient constructions from arbitrary program to arithmetic circuits exists in literature. Quadratic Arithmetic Program (QAP)
- 40. Cryptographic Proof system for ZK-SNARKs
- 41. Cryptographic Proof system for ZK-SNARKs Initial Parameters
- 42. Cryptographic Proof system for ZK-SNARKs Initial Parameters Arbitrary Program
- 43. Cryptographic Proof system for ZK-SNARKs Initial Parameters Arbitrary Program Arithmetic Circuit
- 44. Cryptographic Proof system for ZK-SNARKs Initial Parameters Arbitrary Program Arithmetic Circuit Key generation on trusted setup
- 45. Cryptographic Proof system for ZK-SNARKs Initial Parameters CRS Arbitrary Program Arithmetic Circuit Key generation on trusted setup
- 46. Cryptographic Proof system for ZK-SNARKs Initial Parameters CRS Destroy parameters Arbitrary Program Arithmetic Circuit Key generation on trusted setup
- 47. Cryptographic Proof system for ZK-SNARKs Initial Parameters CRS Destroy parameters Arbitrary Program Arithmetic Circuit Key generation on trusted setup
- 48. Cryptographic Proof system for ZK-SNARKs Initial Parameters CRS Destroy parameters Arbitrary Program Arithmetic Circuit Key generation on trusted setup
- 49. Cryptographic Proof system for ZK-SNARKs Initial Parameters CRS Destroy parameters Arbitrary Program Arithmetic Circuit Key generation on trusted setup Holds witness w and publishes proof π Evaluates π and existence of w
- 50. Cryptographic Proof system for ZK-SNARKs • Arbitrary program is encoded to polynomials deﬁned over a prime ﬁeld Fp, where p is prime number. Computers are not good with handling arbitrary large numbers, so having a upper bound is good assumption Field arithmetic allows trapdoor functions, which are harder to solve unless secret trapdoor is known. For eg. Discrete logarithm problem. Arithmetic involves simple addition and multiplication deﬁned over ﬁeld i.e modular arithmetic Solve for: t(x)h(x) = w(x)v(x)
- 51. Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations.
- 52. Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. C program foo Input bar Additional input qux
- 53. Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. Exit Code 0 C program foo Input bar Additional input qux
- 54. Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. Exit Code 0 C program foo Input bar Additional input qux Arithmetic circuit foo
- 55. Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. Exit Code 0 C program foo Input bar Additional input qux Arithmetic circuit foo Accepts the partial assignment bar, when extended into some full assignment qux
- 56. Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. Exit Code 0 C program foo Input bar Additional input qux Arithmetic circuit foo Accepts the partial assignment bar, when extended into some full assignment qux f(x) Set of constraints foo
- 57. Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. Exit Code 0 C program foo Input bar Additional input qux Arithmetic circuit foo Accepts the partial assignment bar, when extended into some full assignment qux f(x) Set of constraints foo Accepts the partial assignment bar, when extended into some full assignment qux
- 58. Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. Exit Code 0 C program foo Input bar Additional input qux Arithmetic circuit foo Accepts the partial assignment bar, when extended into some full assignment qux f(x) Set of constraints foo Accepts the partial assignment bar, when extended into some full assignment qux Veriﬁer accepts
- 59. How to construct ZK- SNARKs
- 60. Breaking down ZK-SNARKs logically 1. Homomorphic Hiding 2.From computations to polynomials 1. Blind evaluation of polynomials 2. Making blind evaluation of polynomials veriﬁable 3. Zero knowledge Construction 1. Satisfying QAP (Pinocchio Protocol ) 2. Pairings of elleptic curves
- 61. Homomorphic Hiding • In above equation, Prover should not be able to deduce “s”, so rather than providing input s, we provide E(x) s.t • E(x) is a homomorphic hiding scheme s.t I. Given E(x), it is hard to ﬁnd x II. If x ≠ y, then E(x) ≠ E(y) III. E(x + y) = E(x) + E(y) • This is mainly used to hide veriﬁer challenges t(x)h(x) = w(x)v(x) E(t(x))E(h(x)) = E(w(x))E(v(x))
- 62. Blind evaluation of t(x)h(x) = w(x)v(x) • Solving for x will be really hard, as degree of this polynomial can go as much as 2 ^21 • To make our proof eﬃcient, we chose a random s, s.t This reduces our problem to equating variables and doing simple multiplication and addition. Even so, it is compute intensive work. Instead of (s 0 , s 1 , s 2 …s d ), we chose to send (E(s 0 ), E(s 1 ), E(s 2 )…E(s d ) ), where d is degree of polynomial, and can be published in CRS. S is one of those parameters that needs to be destroyed. However Alice may ignore (E(s 0 ), E(s 1 ), E(s 2 )…E(s d ) ) and pick her own values, so we need to verify the evaluation of polynomials t(s)h(s) = w(s)v(s)
- 63. Veriﬁable Blind Evaluation of polynomials • Knowledge of Coeﬃcient Test (KC Test) • For α ∈ Fp, a pair (a,b) in G is an α pair if • a,b ≠ 0 • b = α . a • Given an α pair (a,b) • There exists no way to deduce a from b. • Only way to generate same α pair, is by selecting random k s.t k*b = α . (k* a)
- 64. Veriﬁable Blind Evaluation of polynomials • d-KCA Test : Suppose Bob choses random α ∈ Fp and s ∈ Fp and sends d alpha pairs (E(s0 )…E(sd ) ) and (α . E(s0 )… α .E(sd ) ) to Alice, and in return Alice returns one alpha pair (a’, b’), where with negligible probability Alice knows (c0 , c1 , c2 …cd ) ∈ Fp s.t • Bob sends an alpha pair to Alice (s, α.s) s.t • Alice computes a = P(s) and b = αP(s) • Bob checks if b = α . a, and accepts if and only if equality holds. ∑i d ci si .g = a’
- 65. Satisfying QAP A Quadratic Arithmetic Program Q of degree d and size m consists of polynomials L1…Lm, R1…Rm, O1…Om and a target polynomial T of degree d. An assignment (C1…Cm) satisﬁes Q if (i) L:= ∑i m ci Li (ii)R:= ∑i m ci Ri (iii) O:= ∑i m ci Oi (iv) P:= L . R - O , we have T divides P or P=H . T As we saw earlier, we do not need to evaluate for x, but rather chose s ∈ Fp such that P(s) = H(s).T(s)
- 66. Satisfying QAP • Alice chooses polynomials L,R,O,H of degree at most d • Bob chooses a random point s ∈ Fp and computes E(T(s)) • Alice sends Bob the hidings of all these polynomials evaluated at s i.e. E(L(s)), E(R(s)), E(O(s)), E(H(s)) • Bob checks if the desired equation holds at s That is, he checks whether E(L(s)⋅R(s)−O(s))=E(T(s)⋅H(s)). To simplify construction we reduce L,R,O to a single polynomial F F=L+Xd+1⋅R+X2(d+1)⋅O *Note that all coeﬃcients do not mix, as they are separated by degree d
- 67. Elliptic Curve Pairing • It is used for equality check for polynomials. • Since maths for this is a little tricky, it would be better if you check out these resources 1.Elliptic curve pairing 2.Exploring Elliptic curve pairing
- 68. References 1.Succinct Non-Interactive Zero Knowledge fro a von Neumann Architecture, Eli Ben-Sasson 2. ZK-Snarks in nutshell by Christian Reitwiessner 3. How ZK-Snarks work in zcash 4. ZK-Snarks under the hood by Vitalik Buterin 5. Pairing for beginners by Craig Costello

No public clipboards found for this slide

Be the first to comment