Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Zksnarks in english

379 views

Published on

Basic introduction to ZK-Snarks and Zero Knowledge Proofs

Published in: Engineering
  • Be the first to comment

Zksnarks in english

  1. 1. ZK-Snarks in English Ronak Kogta
  2. 2. In this talk, We’ll learn 1.What are Zero Knowledge Proofs ? 2.What are Zk-Snarks ? 3. How to construct Zk- Snarks ?
  3. 3. Problem Statement Alice belongs to an organisation A Bob belongs to an organisation B
  4. 4. Problem Statement Alice belongs to an organisation A Bob belongs to an organisation B They both want to do a transaction, and want the valid result for their inputs
  5. 5. Problem Statement Alice belongs to an organisation A Bob belongs to an organisation B They both want to do a transaction, and want the valid result for their inputs Since inputs are important for both organisation A and B, 
 they do now want to reveal that information
  6. 6. Problem Statement Alice belongs to an organisation A Bob belongs to an organisation B They both want to do a transaction, and want the valid result for their inputs Since inputs are important for both organisation A and B, 
 they do now want to reveal that information Do not trust each other
  7. 7. Problem Statement Sends y Holds x Sends f(x,y) Holds y
  8. 8. Problem Statement Here Bob compromises, and reveals his y Sends y Holds x Sends f(x,y) Holds y
  9. 9. Problem Statement Here Bob compromises, and reveals his y Sends y Holds x Sends f(x,y) Holds y Alice may change her x, and give wrong f(x,y)
  10. 10. Problem Statement Here Bob compromises, and reveals his y Sends y Holds x Sends f(x,y) Holds y Alice may change her x, and give wrong f(x,y) Or Bob gives y in such a way that info about x is revealed
  11. 11. Problem Statement Here Bob compromises, and reveals his y Sends y Holds x Sends f(x,y) Holds y Alice may change her x, and give wrong f(x,y) Or Bob gives y in such a way that info about x is revealed Both Alice and Bob can cheat, and the transaction will have no
 fairness guarantee
  12. 12. 
 Fairness by 3rd Party Sends y Holds x Sends f(x,y) Holds y Third Party Auditor
  13. 13. 
 Fairness by 3rd Party Sends y Holds x Sends f(x,y) Holds y Third Party Auditor
  14. 14. 
 Fairness by 3rd Party Sends y Holds x Sends f(x,y) Holds y Third Party Auditor
  15. 15. 
 Fairness by 3rd Party Sends y Holds x Sends f(x,y) Holds y Third Party Auditor
  16. 16. 
 Fairness by 3rd Party Sends y Holds x Sends f(x,y) Holds y Third Party Auditor Evaluation of x, y and f(x,y) was correct.
 OK! Error in evaluation.
 Not OK!
  17. 17. 
 Fairness by 3rd Party Sends y Holds x Sends f(x,y) Holds y Third Party Auditor Evaluation of x, y and f(x,y) was correct.
 OK! Error in evaluation.
 Not OK! This approach delegates trust to the third party, and our security totally depends 
 on premise that auditor is not malicious or he is not hacked
  18. 18. Computational Integrity and Privacy (CIP) • Integrity of computation (CI): Bob wants to establish that an asserted NP statement by Alice is valid and True. • Confidentiality of input (P): If NP statement is true, the prover (Alice) can convince verifier (Bob) without leaking any information about her input. • Proofs of Knowledge: Bob wants a guarantee that agreed upon ‘secret input’ exists and Alice knows that ‘secret input ’ • Efficiency: Bob should be able to verify proof in bounded polynomial time.
  19. 19. Proof Systems A proof system S for language L is a pair S=(V,P) where V is verifier 
 and P is prover VerifierProver
  20. 20. Proof Systems A proof system S for language L is a pair S=(V,P) where V is verifier 
 and P is prover VerifierProver Prover should not be able to convince verifier a false statement with negligible probability Soundness
  21. 21. Proof Systems A proof system S for language L is a pair S=(V,P) where V is verifier 
 and P is prover VerifierProver Prover should not be able to convince verifier a false statement with negligible probability Soundness Prover should be able to convince verifier true statement with absolute certainty Completeness
  22. 22. Proof Systems A proof system S for language L is a pair S=(V,P) where V is verifier 
 and P is prover VerifierProver Prover should not be able to convince verifier a false statement with negligible probability Soundness Verifier should be able to verify the validity of arguments in polynomial time Efficiency Prover should be able to convince verifier true statement with absolute certainty Completeness
  23. 23. Proof Systems • Language “L” is NP-Complete. • “Karp’s Reduction”: A problem in NP-Complete can be converted to another problem in NP-Complete in polynomial time w.r.t to length of input. • So, if you can construct a proof for one problem, all other problems could be solved by converting to the prior problem. • Another advantage of such language is that they can be verified in bounded time, but cannot be solved easily.
  24. 24. Proof Systems
  25. 25. Proof Systems In short, proof systems mathematically validate the authenticity of
 a computation. Zero knowledge proofs are a subset of proof system, with an 
 additional constraint of “hiding” or “zero knowledge”.
  26. 26. Proof Systems In short, proof systems mathematically validate the authenticity of
 a computation. Zero knowledge proofs are a subset of proof system, with an 
 additional constraint of “hiding” or “zero knowledge”. Sends E(y) Holds x Sends E(f(x,y)) Holds y
  27. 27. Proof Systems In short, proof systems mathematically validate the authenticity of
 a computation. Zero knowledge proofs are a subset of proof system, with an 
 additional constraint of “hiding” or “zero knowledge”. Sends E(y) Holds x Sends E(f(x,y)) Holds y Here key element is that we have used E(..), a hiding scheme
 which does not reveal y to Alice and x is not revealed to Bob
  28. 28. Proof Systems In short, proof systems mathematically validate the authenticity of
 a computation. Zero knowledge proofs are a subset of proof system, with an 
 additional constraint of “hiding” or “zero knowledge”. Sends E(y) Holds x Sends E(f(x,y)) Holds y Here key element is that we have used E(..), a hiding scheme
 which does not reveal y to Alice and x is not revealed to Bob Both Alice and Bob Learns nothing
  29. 29. Prover Sends E(y) Holds x Sends E(f(x,y)) Holds y Verifier Round 1
  30. 30. Prover Sends E(y) Holds x Sends E(f(x,y)) Holds y Verifier Round 1 Prover Sends E(y’) Holds x Sends E(f(x,y’)) Holds y’ Verifier Round 2
  31. 31. Prover Sends E(y) Holds x Sends E(f(x,y)) Holds y Verifier Round 1 Prover Sends E(y’) Holds x Sends E(f(x,y’)) Holds y’ Verifier Round 2 Prover Sends E(y’’) Holds x Sends E(f(x,y’’)) Holds y’’ Verifier .
 .
 . Round k
  32. 32. Interactive ZK (Izk) • In previous construction, verifier and prover interactively solve puzzles while guarding their knowledge, and verifying the computation. • After k times, verifier will probabilistically be able to assert that prover has a very less probability to cheat, as he provided with different inputs, and prover has to provide right solution every time. (Soundness and Completeness) • That will only happen if prover knows right input and did right computation.
  33. 33. Non-interactive ZK (NIZK) • Interactive ZK involves active participation of two parties, and in practice, it is slow and hard to achieve. • NIZK proofs are preprocessed ZKP, which needs to be published at untampered memory. Blockchain could be such memory. • Interesting properties of NIZK proofs Publishes a proof π Generates VK and PK keys, so proof π can be mathematically reproduced by PK and verified by VK Needs a trusted setup to generate a CRS, which can be seen by both prover and verifier.
  34. 34. CRS Model • Initial parameters are randomly chosen using a good pseudorandom generator. • It requires a trusted setup. • These parameters are used to generate a “Common Reference String”, which can be seen by both Alice and Bob, or more formally Prover and Verifier. • The initial parameters used to generate CRS needs to be securely destroyed, otherwise CRS could be spoofed.
  35. 35. Till now • We saw the problem between Alice and Bob and explored some solutions along with third party • Saw the construction of interactive zero knowledge proofs and non-interactive zero knowledge proofs
  36. 36. What is ZK-SNARK ?
  37. 37. ZK-SNARKs • One of the recent development in NIZK proofs. Stands for Succinct non-interactive arguments of knowledge. • We need Proof length to be short (that’s why succinct) Verifiable in short amount of time (that’s why NI) And of course, we need to show that we know an input which yields a certain computation (that’s why ARKs)
  38. 38. ZK-SNARKs • Construction of ZK-SNARKs involves construction of two important pieces Cryptographic proof system for verifying satisfiability of arithmetic circuits Circuit generator to translate program executions to such circuits
  39. 39. Cryptographic Proof system for ZK-SNARKs • ZK-SNARKs exist for all problems in NP. For above construction we use Circuit-SAT satisfiability problem • It is NP-Complete problem, and a variant of Boolean Satisfiability problem. Efficient constructions from arbitrary program to arithmetic circuits exists in literature. Quadratic Arithmetic Program (QAP)
  40. 40. Cryptographic Proof system for ZK-SNARKs
  41. 41. Cryptographic Proof system for ZK-SNARKs Initial Parameters
  42. 42. Cryptographic Proof system for ZK-SNARKs Initial Parameters Arbitrary Program
  43. 43. Cryptographic Proof system for ZK-SNARKs Initial Parameters Arbitrary Program Arithmetic Circuit
  44. 44. Cryptographic Proof system for ZK-SNARKs Initial Parameters Arbitrary Program Arithmetic Circuit Key generation on trusted setup
  45. 45. Cryptographic Proof system for ZK-SNARKs Initial Parameters CRS Arbitrary Program Arithmetic Circuit Key generation on trusted setup
  46. 46. Cryptographic Proof system for ZK-SNARKs Initial Parameters CRS Destroy parameters Arbitrary Program Arithmetic Circuit Key generation on trusted setup
  47. 47. Cryptographic Proof system for ZK-SNARKs Initial Parameters CRS Destroy parameters Arbitrary Program Arithmetic Circuit Key generation on trusted setup
  48. 48. Cryptographic Proof system for ZK-SNARKs Initial Parameters CRS Destroy parameters Arbitrary Program Arithmetic Circuit Key generation on trusted setup
  49. 49. Cryptographic Proof system for ZK-SNARKs Initial Parameters CRS Destroy parameters Arbitrary Program Arithmetic Circuit Key generation on trusted setup Holds witness w and
 publishes proof π Evaluates π and 
 existence of w
  50. 50. Cryptographic Proof system for ZK-SNARKs • Arbitrary program is encoded to polynomials defined over a prime field Fp, where p is prime number. Computers are not good with handling arbitrary large numbers, so having a upper bound is good assumption Field arithmetic allows trapdoor functions, which are harder to solve unless secret trapdoor is known. For eg. Discrete logarithm problem. Arithmetic involves simple addition and multiplication defined over field i.e modular arithmetic Solve for: t(x)h(x) = w(x)v(x)
  51. 51. Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations.
  52. 52. Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. C program foo Input bar Additional input qux
  53. 53. Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. Exit Code 0 C program foo Input bar Additional input qux
  54. 54. Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. Exit Code 0 C program foo Input bar Additional input qux Arithmetic circuit foo
  55. 55. Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. Exit Code 0 C program foo Input bar Additional input qux Arithmetic circuit foo Accepts the partial 
 assignment bar, when
 extended into some 
 full assignment qux
  56. 56. Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. Exit Code 0 C program foo Input bar Additional input qux Arithmetic circuit foo Accepts the partial 
 assignment bar, when
 extended into some 
 full assignment qux f(x) Set of constraints foo
  57. 57. Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. Exit Code 0 C program foo Input bar Additional input qux Arithmetic circuit foo Accepts the partial 
 assignment bar, when
 extended into some 
 full assignment qux f(x) Set of constraints foo Accepts the partial 
 assignment bar, when
 extended into some 
 full assignment qux
  58. 58. Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. Exit Code 0 C program foo Input bar Additional input qux Arithmetic circuit foo Accepts the partial 
 assignment bar, when
 extended into some 
 full assignment qux f(x) Set of constraints foo Accepts the partial 
 assignment bar, when
 extended into some 
 full assignment qux Verifier accepts
  59. 59. How to construct ZK- SNARKs
  60. 60. Breaking down ZK-SNARKs logically 1. Homomorphic Hiding 2.From computations to polynomials 1. Blind evaluation of polynomials 2. Making blind evaluation of polynomials verifiable 3. Zero knowledge Construction 1. Satisfying QAP (Pinocchio Protocol ) 2. Pairings of elleptic curves
  61. 61. Homomorphic Hiding • In above equation, Prover should not be able to deduce “s”, so rather than providing input s, we provide E(x) s.t
 • E(x) is a homomorphic hiding scheme s.t I. Given E(x), it is hard to find x II. If x ≠ y, then E(x) ≠ E(y) III. E(x + y) = E(x) + E(y) • This is mainly used to hide verifier challenges t(x)h(x) = w(x)v(x) E(t(x))E(h(x)) = E(w(x))E(v(x))
  62. 62. Blind evaluation of 
 t(x)h(x) = w(x)v(x) • Solving for x will be really hard, as degree of this polynomial can go as much as 2 ^21 • To make our proof efficient, we chose a random s, s.t This reduces our problem to equating variables and doing simple multiplication and addition. Even so, it is compute intensive work. Instead of (s 0 , s 1 , s 2 …s d ), we chose to send (E(s 0 ), E(s 1 ), E(s 2 )…E(s d ) ), where d is degree of polynomial, and can be published in CRS. S is one of those parameters that needs to be destroyed. However Alice may ignore (E(s 0 ), E(s 1 ), E(s 2 )…E(s d ) ) and pick her own values, so we need to verify the evaluation of polynomials t(s)h(s) = w(s)v(s)
  63. 63. Verifiable Blind Evaluation
 of polynomials • Knowledge of Coefficient Test (KC Test) • For α ∈ Fp, a pair (a,b) in G is an α pair if • a,b ≠ 0 • b = α . a • Given an α pair (a,b) • There exists no way to deduce a from b. • Only way to generate same α pair, is by selecting random k s.t k*b = α . (k* a)
  64. 64. Verifiable Blind Evaluation
 of polynomials • d-KCA Test : Suppose Bob choses random α ∈ Fp and s ∈ Fp and sends d alpha pairs (E(s0 )…E(sd ) ) and
 (α . E(s0 )… α .E(sd ) ) to Alice, and in return Alice returns one alpha pair (a’, b’), where with negligible probability Alice knows (c0 , c1 , c2 …cd ) ∈ Fp s.t
 • Bob sends an alpha pair to Alice (s, α.s) s.t • Alice computes a = P(s) and b = αP(s) • Bob checks if b = α . a, and accepts if and only if equality holds. ∑i d ci si .g = a’
  65. 65. Satisfying QAP A Quadratic Arithmetic Program Q of degree d and size m consists of polynomials L1…Lm, R1…Rm, O1…Om and a target polynomial T of degree d. 
 An assignment (C1…Cm) satisfies Q if (i) L:= ∑i m ci Li (ii)R:= ∑i m ci Ri (iii) O:= ∑i m ci Oi (iv) P:= L . R - O , we have T divides P or P=H . T 
 As we saw earlier, we do not need to evaluate for x, but rather chose s ∈ Fp such that P(s) = H(s).T(s)
  66. 66. Satisfying QAP • Alice chooses polynomials L,R,O,H of degree at most d • Bob chooses a random point s ∈ Fp and computes E(T(s)) • Alice sends Bob the hidings of all these polynomials evaluated at s i.e. E(L(s)), E(R(s)), E(O(s)), E(H(s)) • Bob checks if the desired equation holds at s That is, he checks whether E(L(s)⋅R(s)−O(s))=E(T(s)⋅H(s)). To simplify construction we reduce L,R,O to a single polynomial F F=L+Xd+1⋅R+X2(d+1)⋅O *Note that all coefficients do not mix, as they are separated by degree d
  67. 67. Elliptic Curve Pairing • It is used for equality check for polynomials. • Since maths for this is a little tricky, it would be better if you check out these resources 1.Elliptic curve pairing 2.Exploring Elliptic curve pairing
  68. 68. References 1.Succinct Non-Interactive Zero Knowledge fro a von Neumann Architecture, Eli Ben-Sasson 2. ZK-Snarks in nutshell by Christian Reitwiessner 3. How ZK-Snarks work in zcash 4. ZK-Snarks under the hood by Vitalik Buterin 5. Pairing for beginners by Craig Costello

×