lecture proofs - 6893.csail.mit.edu
TRANSCRIPT
Lecture 14 : ZK Proofs onSecret - shared Data
MIT - G- 893
fall 2020
Henry Corrigan -Gibbs
Plan
* Recap : SNDRGS* App : Private Aggregation
Logistics* Zk Proof on Secret- shared Data
AHHH due Friday 5pm→ Def 're * OH, Today 3- 4:30pm
* Breakout rooms * guest lecture next
Wednesday .
* stretch Break
* Construction of 2-K Pfon Secret-shared Data
Recap : SNARG
←setup
ProveCsx) Verifier (C )0 it
s O1- ta n
* Prover convinces verifier that C is SAT( '- Ssi assignment starts with
-
" )* Ver:S. runs in time less than required to evaluate C* Proof is short ? Length depends only on see param.* Get 2- K
"
for free "
Encryptionof
Lpc sethpggpt.snKeyC
O Enorptionangfwe.PH 0 Checks
th- + → answers
p a
Private Aggregation . . . . -Ghani 88 .. - - - I
- Large # of clients holding values
×I,. . . .
, XnE t
- Server wants to learn .d Xi Etf→"
Degenerate " MPC in which ckt has onlyaddition gates - no Mnl gates .
Simple Protocolt
clients Servers0 [XIAt > D serve A
i. f si. ?icx :3.'
, GIB' §+SB= Xi
In 9 so. n.EC'D.> 1) Seba B
Simple Protocol
1.
CorrectnessAll parties honest ⇒ Get correct answer
2. Privacy
31 server honest ⇒ Protocol " leaks nothingmore then fix ..
"
[If you
don't care about efficiencyor clients going offline , every clientcan act as a server.
3.Concrete efficiency- One msg from client to each server- One msg from serves to each other
Applications [Annoying in practice'
.se?.ejdaemyTelemetry
*§ O is not used Priv mod
I 0-W
-
t good& I I 11
⇒ is Dn n Mozilla
Firefox users O
O
•How many Ff
swarms. .. ..,i÷÷÷÷÷÷
qt(I- pl by folks at Bu
D B FBD"B oo ¥111
" o Civil Society orgD D o
Hou much do m vs.
V
Boston employers gfctrosspaidppy.EE/pIF@
ApplicationsFederated leaning apptis pi n
j o
'DO
Phones
( avg gradient)
Pnb Health Statistics
O O
is is°
I
is is i÷÷÷k¥¥m.Phones
today ?
probhemulsimpbeprot.co/-No limits on range of client inputs .
Sum is computed E F ( i.e.mod p)
Server A
OEb
> DL EhsFf User
Server B
Should be : at Be {0,13'①
Evil user
can set : G)at B- anything c- t
arbitrary influence on output.
↳Output is cxi) +A f- sad:#hour
Really , we want to compute i.x.
- for x. c-0,13.
Fix using Zk
Server A
- DX Io Kb )
v
I qepttg.at^ Ths Server B
- DO
GTBO
÷¥¥¥÷:*:*
÷.⇒*.- Complete : Honest p (client)convinces honest Vs Gerry)
- Soundness : Dishonest P rarelyconvinces honest V
- 2- K : Servers learn nothing about x, except the XE B
↳ Each server can simulate its view . . .
→ Zk proof on secret - shared dataMultiple verifiers, each holds a share of data
.
Food
Constructing Zk on Secret -Shared Data
④a
> DProve Irs
- Iacelrcj
1- in Cx) . 9N B
> DVerifies
Kiera. Use linear Pops.
xe {0,4Gt ⇐ xcx - 1) so c- tKkk Nx - D)
I. Prover produces linear PCP itestmatestiyto fact that x satisfies C .
2.
Prom splits it into shares,sends
one shore to each verifier .
3. Verifies jointly make linear queriesto secret- shared input & proof.↳ Run LPCP wig only on answers
(9; .. - , as) ← (PCP. Quest )
CX), It's
a. I]
IT← LPCP. Proulx )
Ots'The 'T c- Fm Ca]. -4,43111T.
'
1- An :
:
i. SharedEft i randomness
[a]p=G , paths ) /a Ths
ar f]19, ,
. . .
,9,) ← LPCP
. Query ()
[a]. - firs -
- 29,1×3,111%3+5911 HID= (9
,
× HIT> as we need.
As before , completeness , soundness,2-k follow
almost immediately from properties of LPCP
EfficiencyP - V : 044 ) ft elms for clot of
size Kl
✓→ V : 011) IF elms. . .
one perlinen PCP
query.
Better Efficiency ?* Might like to reduce PSV communication
.
* Can do if det C has nice structureC - g. many repeated sub clots
[In some cases, requires interaction
.