Professional Documents
Culture Documents
Privacy Enhancing Technologies: Department of Computer Science
Privacy Enhancing Technologies: Department of Computer Science
confidentiality authenticity
m m
Alice Bob Alice Bob
Enc(m) Sig(m)
Key properties
[GMW87]
• zero knowledge
passive security active security • proof of knowledge
2010s blockchain technology
I know x
proof
s.t. y=F(x)
Additional key properties
• non-interactive
• publicly verifiable
• succinct (compact proof)
Cryptographic Proofs
a powerful defense against malicious behavior
especially in distributed protocols
Key properties
[GMW87]
• zero knowledge
passive security active security
• proof of knowledge
Why?
2010s blockchain technology Relaxed to argument of
knowledge (ARK)
I know x What is ARK?
proof
s.t. y=F(x) See later…
Additional key properties
• non-interactive
• publicly verifiable
• succinct
Introducing Zero Knowledge Proof
(ZKP)
"Zero-knowledge proofs are fascinating and extremely useful constructs.
They are both convincing and yet yield nothing beyond the validity of
the assertion being proved.” O. Goldreich
Goal:
• find the reporter Charlie in a
big picture,
• convince the verifier (me) that
1
to the others).
Solutions:
1. get a copy of the picture, cut out Charlie and
1
show it to me. 2
• The challenge: Bob can choose whether he wants to check the rows,
the columns, or the blocks. Eventually he picks one of these three
conditions at random.
• Prove: Alice proceeds to place the cards from each row inside an opaque
bag — one bag per row. She gives each bag a thorough shake, making
sure the index cards inside are mixed well and hands them to Bob.
1. Rinse and repeat: Alice repeats the procedure with Bob — each time
placing the same cards for the same Sudoku problem face down,
but letting Bob pick a different test at random.
1
2. After a long series of tests, Bob is forced to admit that Alice is either
2
an extremely lucky person, or, that she simply has a solution to the
Sudoku problem (or perhaps she could read his thoughts after all).
Witness/Solution
Prover Verifier
Completeness:
An honest prover Prover Verifier
convinces the verifier.
Soundness:
A dishonest provernever
Completeness: convinces the verifier.
An honest prover Prover Verifier
convinces the verifier. Computational guarantee
-> argument
Witness
Soundness:
A dishonest provernever
Completeness: convinces the verifier.
An honest prover Prover Verifier
convinces the verifier. Computational guarantee
Zero-knowledge:
-> argument
Nothing but the truth of the statement is revealed.
Interaction
Prover Verifier
Computation Communication Computation
Prover Verifier
Cryptographic
Assumption
Circuit SAT OR
OR
Determining whether a AND
given Boolean circuit has AND AND
an assignment of its inputs
that makes the output true AND
OR NOT
NOT
x1 x2 x3 x4 x5
CS6290: Privacy Enhancing Technologies
Slight difference
The underlying cryptographic primitives requires
algebraic representation.
• Arithmetic circuit instead of Boolean circuit
• Addition and multiplication gate instead of AND/NOT
Registers
Memory
pc r1 r2 r3 … … … … … flag
Primary Input
instruction1
instruction2 Random
Input Tapes Access
Instruction3
Auxiliary Input
TinyRAM …
Program …
…
Registers
Memory
pc r1 r2 r3 … … … … … flag
Primary Input
instruction1
instruction2 Random
Input Tapes Access
Instruction3
Auxiliary Input
TinyRAM …
Program …
…
Registers
Memory
pc r1 r2 r3 … … … … … flag
Primary Input
instruction1
instruction2 Random
Input Tapes Access
Instruction3
Auxiliary Input
TinyRAM …
Program …
…
TinyRAM program
based on theory
Circuit Generator of [BCGT13] arithmetic
circuit
circuit
⨉ +
ZK-SNARK for CircuitSAT +
⨉
based on theory C
of [GGPR13]
[BCIOP13]
CS6290: Privacy Enhancing Technologies
ZK-SNARK
• Adopted by Zcash in 2014
• SNARK: S stands for succinct, N for non-interactive, ARK for
argument (“fancy” name for computational soundness)
• The proof is short and blazingly fast to be verified
• Non-interactive requires non-transparent trusted setup phase
• Why argument? Succinctness inevitably requires computational
soundness, a relaxed assumption compared to statistical soundness
• Still computationally expensive-ish and bounded by memory
ZK-SNARK (2014)
time ∼ 28 min
V. total comm
comp ∼ 18.9 GB
Short Trusted
Fast P Fast V Practical?
Proofs Setup?
ZK-SNARK ✓ X ✓ X ✓
Hyrax X X ✓ish ✓ Xish
BulletProof ✓ X ✓ish ✓ ✓ish
ZKB++ X ✓ish ✓ ✓ ✓ish
Ligero Xish ✓ish ✓ ✓ Xish
ZKSTARK ✓ X ✓ ✓ X
time
1ab... 1 1 9be...
f3a... 0ac...
56f... 432...
⋮ 1 1 ⋮
112... ffa...
How does the world know that Bob has 1 Bitcoin to spend?
Check that he received it, and that he did not spend it.
type 1
type 2
coin
Attempt #1: plaintext serial numbers
mint mint spend mint spend view of
min
sn1 min
sn2 spend
sn2 min
sn3 spend
sn1 blockchain
t t t
Transaction types
mint Consume 1 BTC to create a value-1 coin w/ serial number sn.
sn
spend Consume the coin w/ serial number sn.
sn
Good:
cannot double spend
coin Bad:
serial spend linkable to its mint anyone
sn number can spend with sn!
…
Attempt #2: committed serial numbers
mint mint spend mint spend view of
min
cm1 min
cm2 spend
sn2, r2 min
cm3 spend
sn1, r1 blockchain
t t t
Transaction types
mint Consume 1 BTC to create a value-1 coin w/ commitment cm.
cm
spend Consume the coin w/ serial number sn.
sn, r
Good:
cannot double spend
others can't spend my coins
coin cm commitment
Bad:
COMM r spend linkable to its mint
sn
serial …
number
Attempt #3: ZKPoK of commitment
mint mint spend mint spend view of
min
cm1 min
cm2 spend
sn2, π2 min
cm3 spend
sn1, π1 blockchain
t t t
Transaction types
mint Consume 1 BTC to create a value-1 coin w/ commitment cm.
cm
spend Consume the coin w/ serial number sn.
sn, π Here is a ZK proof π that I know secret r s.t. [Sander Ta-Shma
CRYPTO 1999]
exists • cm "list of prior commitments"
well-formed • cm=COMM(sn;r) cm1
CRH
cm2
CRH
Good:
cm3
CRH
cannot double spend
cm4
CRH
root
cm5
others can't spend my coins spend
coin cm
CRH
commitment
cm6 and mint unlinkable
CRH
COMM r cm7 Bad:
CRH
serial cm8 fixed denomination (side channel
sn number that leaks information)
…
Attempt #4: variable denomination
mint mint spend mint spend view of
cmmin
1,v1,k1,r1 cmmin
2,v2,k2,r2 spend
sn 2, v2, π2 cmmin
3,v3,k3,r3 snspend
1, v1, π1 blockchain
t t t
Transaction types
mint Consume v BTC to create a value-v coin w/ commitment cm.
cm,v,k,r
spend Consume the coin w/ serial number sn.
sn,v, π Here is a ZK proof π that I know secret (r,s) s.t.
exists • cm "list of prior commitments"
well-formed • cm=COMM(v,k;r) & k=COMM(sn;s)
Good:
cannot double spend
others can't spend my coins
coin cm commitment
spend and mint unlinkable
COMM r variable denomination
value v COMM s Bad:
serial only hides sender
sn number
…
Attempt #5: payment addresses
mint mint spend mint spend view of
cmmin
1,v1,k1,r1 cmmin
2,v2,k2,r2 spend
sn 2, v2, π2 cmmin
3,v3,k3,r3 snspend
1, v1, π1 blockchain
t t t
Transaction types
mint Consume v BTC to create a value-v coin w/ commitment cm.
cm,v,k,r
spend Consume the coin w/ serial number sn.
sn,v, π Here is a ZK proof π that I know secret for (cm,k,r,s,ρ,apk,ask) s.t.
exists • cm "list of prior commitments"
well-formed • cm=COMM(v,k;r) & k=COMM(apk,ρ;s)
mine • sn=PRF(ρ;ask) & apk=PRF(0;ask)
Good:
spend and mint unlinkable
variable denomination
coin cm commitment
address Question:
COMM r sn serial apk spending process not complete, i.e., burn a
number
value v COMM s PRF ask PRF
coin and create another one that the payee
public
secret can use
key
apk ρ key 0
Attempt #6: direct payments
mint mint spend mint spend view of
cmmin
1,v1,k1,r1 cmmin
2,v2,k2,r2 snspend
2, cm4, π2 cmmin
3,v3,k3,r3 snspend
4, cm5, π4 blockchain
t t t
Transaction types
mint Consume v BTC to create a value-v coin w/ commitment cm.
cm,v,k,r
spend Consume coin w/ serial number snA & create coin w/ commitment cmB.
snA,cmB, π Here is a ZK proof π that I know secret (cmA,vA,kA,rA,sA,ρA,apkA,askA) s.t.
exists • cmA "list of prior commitments" (cmB,vB,kB,rB,sB,ρB,apkB)
well-formed • cmA=COMM(vA,kA;rA) & kA=COMM(apkA,ρA;sA)
mine • snA=PRF(ρA;askA) & apkA=PRF(0;askA) send out-of-band
well-formed • cmB=COMM(vB,kB;rB) & kB=COMM(apkB,ρB;sB)
or via blockchain
pour Consume (my) input coins w/ serial numbers snA and snB in order to
snA cmC create two output coins (maybe not mine) w/ commitments cmC and cmD.
snB cmD Here is a ZK proof π that I know secrets that demonstrate that
π • the input coins were minted at some point in the past,
• the output coins are well-formed,
• balance is preserved.
Single tx type for:
coin cm commitment
address ✓simple payments
COMM r sn serial apk ✓join coins
number
value v COMM s PRF ask PRF ✓split coins
secret ✓pay transaction fees
public
key
apk ρ key 0
Proof-of-concept implementation
mint
v Mint
cm,v,k,r
20μs 70B
x,π
S1 S2 S3 S4
Multi-Party Protocol
params