Scribd Logo
Upload

Welcome to Scribd!

  • ZKP - Day - 1 - Session - 1 Copy 2

    Uploaded by

    Hridam Basu
    5 views23 pages
    Zero-knowledge proofs allow one party (the prover) to prove to another party (the verifier) that a statement is true, without revealing any other information. This is done through an interactive proof protocol between the prover and verifier. Non-interactive zero-knowledge proofs allow the proof to be generated without interaction through the use of commitments. Popular zero-knowledge proof techniques include sigma protocols that use commitments and properties of computationally hard problems like the discrete logarithm problem.

    Original Description:

    Original Title

    zkp_day_1_session_1 copy 2

    Copyright

    © © All Rights Reserved

    Available Formats

    KEY, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Zero-knowledge proofs allow one party (the prover) to prove to another party (the verifier) that a statement is true, without revealing any other information. This is done through an interactive proof protocol between the prover and verifier. Non-interactive zero-knowledge proofs allow the proof to be generated without interaction through the use of commitments. Popular zero-knowledge proof techniques include sigma protocols that use commitments and properties of computationally hard problems like the discrete logarithm problem.

    Copyright:

    © All Rights Reserved
    Download as KEY, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as key, pdf, or txt
    5 views23 pages

    ZKP - Day - 1 - Session - 1 Copy 2

    Uploaded by

    Hridam Basu
    Zero-knowledge proofs allow one party (the prover) to prove to another party (the verifier) that a statement is true, without revealing any other information. This is done through an interactive proof protocol between the prover and verifier. Non-interactive zero-knowledge proofs allow the proof to be generated without interaction through the use of commitments. Popular zero-knowledge proof techniques include sigma protocols that use commitments and properties of computationally hard problems like the discrete logarithm problem.

    Copyright:

    © All Rights Reserved
    Download as KEY, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as key, pdf, or txt
    of 23

    Zero-Knowledge Proofs

    Hridam Basu
    Plan Ahead

    Proofs

    Interactive Proofs

    Zero-Knowledge Proofs

    Non-Interactive Zero-Knowledge Proofs

    Succinct Non-Interactive Argument of Knowledge


    P and NP

    P - Problems that can be solved in polynomial time

    NP - Problems that can be verified in polynomial time

    NP-Complete - Intersection of NP and NP-Hard -


    problems which do not have an efficient solution
    Discrete Logarithm
    Problem (DLP)
    Multiplicative Cyclic Group G with generator g, every element h
    can be written as h=g x

    Hard to find discrete logarithm of an element h of G:


    x = log g h
    DLP is not hard for all groups G

    Popular choice of G: * where p is a large prime


    Zp
    Eg: If G = Z5 * and g = 2, discrete logarithm of 1 is 4 because

    2 = 1mod 5
    4
    Proof?

    Proof?
    Too Complicated?

    “A Proof“Type
    is whatever
    a quoteconvinces
    here.” me.”

    – Shimon Even

    –Johnny Appleseed
    Statement, Witness,
    Relation
    Proofs demonstrate that some statement is valid

    Formally (x,w) ∈R where x is instance, wis witness, Ris Relation

    Basically the statement is: x ∈L

    Let R : polynomials that vanish at certain points

    Let x : a 2 − 3a +2 = (a − 1)(a − 2)

    Then witness w : solution to the equation x = 0; so w = {1,2}


    We say (x,w) ∈R if a 2 − 3a +2 vanishes at a = w , ie, w 2 − 3w + 2 = 0
    Interactive Proofs (IP)
    Properties of IP

    Completeness - Prover must be able to prove true


    statements

    Soundness - Cheating prover cannot convince verifier of


    false statements
    Zero-Knowledge Proofs
    (ZKP)
    Properties of ZKP

    Completeness - Honest Prover must be able to prove true


    statements, ie, convince verifier

    Soundness - Cheating Prover cannot convince verifier of


    false statements

    Zero-Knowledge - Malicious Verifier learns nothing


    beyond the correctness of the statement
    Knowledge

    Knowledge is different from information

    If Alice and Bob are interacting, then Bob (verifier) gains


    knowledge only if he can compute something after the
    conversation that he could not do before
    Expressiveness of ZKP
    Assuming One-Way Functions,
    all Languages in NP have Zero-Knowledge Proofs!
    “Type a quote here.”
    – Goldreich, Micali and Wigderson, JACM ‘91

    –Johnny Appleseed
    One-Way Functions are those that are easy to compute
    but hard to invert. Eg: Hash function, Discrete Log.,etc.
    Simulator
    On a high level, ZK property is proved (,ie, there is no
    extra information leakage) with the help of a polynomial-
    time simulator algorithm

    Simulator generates identical transcript (conversation


    between prover and verifier) only based on the common
    inputs without any interaction with the prover

    Simulated transcript between simulator and verifier is


    indistinguishable from original transcript between prover
    and verifier
    Soundness

    Computational - based on some computationally hard


    problem (eg. Discrete Logarithm Problem)

    Perfect - information theoretically secure even if quantum


    computers were invented

    Special - proof_of_knowledge
    Commitment Scheme
    Secure Lock Box containing a
    secret with a key

    For committing to a secret,


    write down the secret in a piece
    of paper and lock the box

    For opening the commitment


    (ie, de-commitment) provide
    the key, so that the verifier can
    open the box and see the secret
    for himself
    Commit and Reveal Phase

    Commit X
    Phase Sender Receiver
    s

    Hiding: A computationally bounded receiver learns nothing about


    X.
    Reveal
    Sender
    X
    Phase X Receiver
    v s, v, X
    Binding: s can only be “opened” to the value X.
    Reveal Verification
    Algorithm

    yes/no
    Properties of Commitment
    Schemes
    Hiding - commitment hides the secret value that is being
    committed to

    Binding - binds the commitment to the secret that is being


    committed to, ie, Alice cannot open the commitment for
    the same message to a different secret

    Both of these properties can be either perfect or


    computational
    Simplest Commitment
    Scheme
    Hash Function

    Choose a random r and a collision-resistant Hash function


    H (eg. SHA256, SHA3, etc.)

    Compute commitment com = H(r||m) to commit to secret


    m

    Open the commitment by revealing m and r

    Verifier accepts if (com’ = H(r||m)) == com


    Homomorphic
    Commitment Scheme
    Homomorphic Property:

    Com(ma ;ra ) + Com(mb ;rb ) = Com(ma + mb ;ra + rb )

    Hash function is not homomorphic:


    H (ra || ma ) + H (rb || mb ) ≠ H (ra + rb || ma + mb )
    Pedersen Commitment
    Scheme
    Pedersen is Homomorphic
    Com(m1;r1 ) = g h m1 r1

    Com(m2 ;r2 ) = g h m2 r2

    Com(m1 + m2 ;r1 + r2 )
    m1 +m2 r1 +r2
    =g h
    =g h g h
    m1 r1 m2 r2

    = Com(m1;r1 ) + Com(m2 ;r2 )


    Sigma Protocol

    You might also like