one-out-of-many proofs: or how to leak a secret and spend a coin jens groth university college...
TRANSCRIPT
One-out-of-Many Proofs:Or How to Leak a Secret and Spend a Coin
Jens Groth
University College London
Markulf Kohlweiss
Microsoft Research
One-out-of-many statement
One of them holds gold!
But I will not tell you which one!
Prover Verifier
One-out-of-many proof
Prover Verifier
Argument
Zero-knowledgeRemains secret which one of them holds gold
SoundnessOnly accept if one of them holds gold
Ring signature
Ring signatureOne of them signed, but secret who it was
ConstructionNon-interactive one-of-many argument of knowledge of a secret key corresponding to one of their public keys
Zerocoin
Coin spendingSerial number 1001101
AnonymityEach coin has unique secret serial number known only to ownerUse one-of-many proof to demonstrate one of the coins has this serial number
Membership proof
2
One-out-of-many proof that secret committed value belongs to a list
One-out-of-many proof for commitment to 0
Statement:
Claim that one of them is commitment to 0
Prover Verifier
Witness
SoundnessStatement is true, there is a commitment to 0
Zero-knowledgeRemains secret which commitment contains 0
Pedersen commitments
• Setup with commitment key that specifies group of prime order and two random generators
• Commitment to using randomness computed as • Additively homomorphic
• Perfectly hiding• Computationally binding
– Assuming hard to compute discrete logarithms
𝑎 𝑏⋅ ¿ 𝑎+𝑏
Sigma-protocols
• -special soundness– Compute witness from answers to different challenges
• Special honest verifier zero-knowledge– Given challenge simulate transcript
Prover Verifier
StatementWitness s.t. 𝑎𝑥←𝒁𝒑
∗
𝑧
Main result: one-out-of-many proof
Sigma-protocol for one out of many commitments being a commitment to
– Perfect completeness– Computational -soundness– Perfect special honest verifier ZK
Can use Fiat-Shamir heuristic to make it non-interactive for ring signatures and zerocoin
Rounds Prover Verifier Communication
3 expo. expo. group + field
For 256-bit elliptic curve groups bytes
𝛿11=1
𝛿00=1
Binary tree
• Want to show is commitment to 0• Equivalently write and • Want to show is commitment to 0
𝑐0 𝑐1 𝑐2 𝑐3
𝑁=2𝑛0
1
𝑐ℓ=com(0 ;𝑟 )
𝛿01=0
𝛿10=0
𝛿01=0𝛿11=1
Want SHVZKCannot reveal
Commit to path
• Prover commits to
• Standard Sigma-protocol for knowledge of opening of commitment to – Run arguments for in parallel
𝑐0 𝑐1 𝑐2 𝑐3
𝑁=2𝑛0
1
𝑐ℓ=com(0 ;𝑟 )
𝑓 𝑗=𝑥 ℓ 𝑗+𝑎 𝑗
Build polynomials of degree in challenge
• We have and • Define and and
Check
and 𝑥←𝒁𝒑
∗
ℓ 𝑗
𝑎 𝑗
𝑐ℓ 𝑗=¿
𝑓 𝑗
Polynomials
defined by Communication
• Use committed path to construct polynomials
in a verifiable manner• Both prover and verifier can compute
• Prover sends before challenge If then is a commitment to 0Otherwise negligible chance of commitment to 0
One-out-of-many proofs
Sigma-protocol for one out of many commitments being a commitment to
Can save computation if prover knows openings of all commitments instead of just one of them
Rounds Prover Verifier Communication
3 expo. expo. group + field
Rounds Prover Verifier Communication
3 mult. expo. group + field
Membership proof
• Have commitment and want to give argument of knowledge of opening to value in the list
• Give one-out-of-many proof for statement
• Save computation since both prover and verifier know a lot about commitments
Rounds Prover Verifier Communication
3 mult. mult. group + field
Fiat-Shamir heuristic
• Sigma-protocol has quasi-unique challenges– Hard to compute many different answers to a challenge – Implies non-interactive argument is simulation-extractable
in the random oracle model
StatementWitness s.t. 𝑎𝑥←Hash(𝑢 ,𝑎 ,𝑎𝑢𝑥)𝑧 𝜋=(𝑎 ,𝑧 )
Non-interactive argument
Ring signatures
• Ring contains public keys of the form
• Interpret them as commitments to , i.e.,
𝑐0=h𝑟 0
𝑐1=h𝑟1
𝑐2=h𝑟 2
• Use Fiat-Shamir heuristic with challenge to prove knowledge of some
• Signature is the non-interactive argument
Zerocoin
• Bulletin board with coins• Each coin commitment
to a serial number
• Spend a coin from a set anonymously by posting serial number and proving one of the coins in has this serial number– Prove that one of
is commitment to 0 using Fiat-Shamir challenge – Serial number prevents double spending– Zero-knowledge guarantees anonymity
Summary
Sigma-protocol for one out of many commitments being a commitment to
– Perfect completeness– Computational -soundness– Perfect special honest verifier ZK
Membership proof Ring signature Zerocoin
Rounds Prover Verifier Communication
3 expo. expo. group + field