zero-knowledge from mpc-in-the-head: constructions and … · 2019-02-20 · zero-knowledge from...
TRANSCRIPT
![Page 1: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/1.jpg)
Zero-Knowledge from MPC-in-the-Head:Constructions and
Applications
Carmit HazayFaculty of Engineering,
Bar-Ilan University
..…
Party P1 Party Pn
![Page 2: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/2.jpg)
Taxonomy of Proofs
1. P vs NP
2. Interactive vs Non-interactive
3. Trusted setup vs No setup (transparent)
4. ZK vs (only) Soundness
5. Succinct vs Non-succinct
6. Public-Key Crypto vs (only) Symmetric-Key Crypto
![Page 3: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/3.jpg)
Taxonomy of Proofs
1. P vs NP
2. Interactive vs Non-interactive
3. Trusted setup vs No setup (transparent)
4. ZK vs (only) Soundness
5. Succinct vs Non-succinct
6. Public-Key Crypto vs (only) Symmetric-Key Crypto
![Page 4: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/4.jpg)
Taxonomy of Proofs
1. P vs NP
2. Interactive vs Non-interactive
3. Trusted setup vs No setup (transparent)
4. ZK vs (only) Soundness
5. Succinct vs Non-succinct
6. Public-Key Crypto vs (only) Symmetric-Key Crypto
![Page 5: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/5.jpg)
Taxonomy of Proofs
1. P vs NP
2. Interactive vs Non-interactive
3. Trusted setup vs No setup (transparent)
4. ZK vs (only) Soundness
5. Succinct vs Non-succinct
6. Public-Key Crypto vs (only) Symmetric-Key Crypto
![Page 6: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/6.jpg)
Taxonomy of Proofs
1. P vs NP
2. Interactive vs Non-interactive
3. Trusted setup vs No setup (transparent)
4. ZK vs (only) Soundness
5. Succinct vs Non-succinct
6. Public-Key Crypto vs (only) Symmetric-Key Crypto
![Page 7: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/7.jpg)
Taxonomy of Proofs
1. P vs NP
2. Interactive vs Non-interactive
3. Trusted setup vs No setup (transparent)
4. ZK vs (only) Soundness
5. Succinct vs Non-succinct
6. Public-Key Crypto vs (only) Symmetric-Key Crypto
![Page 8: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/8.jpg)
Taxonomy of Proofs
1. P vs NP
2. Interactive vs Non-interactive
3. Trusted setup vs No setup (transparent)
4. ZK vs (only) Soundness
5. Succinct vs Non-succinct
6. Public-Key Crypto vs (only) Symmetric-Key Crypto
![Page 9: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/9.jpg)
1. Probabilistically Checkable Proofs (PCPs) [BFLS91,Kil92, Mic94, ALMSS98, AS98, DL08, GLR11, CMT12, BC12, DFH12,BCCT12, IMS12, Tha13, VSBW13], Interactive PCPs [KR08], Interactive Oracle PCPs [BCGT13, BCS16, RRR16, BCGRS16, BBCGGHPRSTV17,BBHR17]
2. Linear PCPs [IKO07, Gro10, GGPR13, BCIOP13, Gro10, Lip12,SMBW12, Lip13, PGHR13, BCGTV13, FLZ13, SBBPW13, Lip14, DFGK14,KPPSST14, ZPK14, CFHKKNPZ15, WSRBW15, BCTV14, BBFR15, Groth16,FFGKOP16, BFS16, BISW17, GM17,BBBPWM18]
3. Interactive Proofs (IP) [GKR08, ZGKPP17-18, WTSTW18]
4. Multiparty Computation (MPC) [IKOS07, GMO16, CDGORRSZ17, AHIV17,KKW18]
Prior Approaches to “Practical” ZK
No setupHigh prover’s complexity
Short ProofsFast Verification
Heavy Public-Key Crypto Trusted Setup
Quantum Insecure
No setupModerate Public-Key Crypto
![Page 10: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/10.jpg)
Zero-Knowledge from MPC [IKOS07]
• Goal: ZK proof for an NP-relation R(x,w)
• Towards using MPC: • Define n-party functionality
g(x; w1,...,wn) = R(x, w1... wn)
• Use OT-based MPC• Security in semi-honest model
![Page 11: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/11.jpg)
Zero-Knowledge from MPC [IKOS07]
Prover Verifier
w=w1... wn
P1 P2
P3
P4P5
Pn
w1 w2
w3w4w5
wn
V1 V2
V3V4V5
Vn views
random i,j
open views Vi, Vj
w
accept iff output=1 &
Vi,Vj are consistent
Given MPC protocol for g(x; w1,...,wn) = R(x, w1... wn)
commit to views V1,...,Vn
![Page 12: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/12.jpg)
Analysis
• Completeness: • Zero-knowledge: by 2-security of and randomness of wi, wj
commit to views V1,...,Vn
random i,j
open views Vi, Vj
accept iff output=1 &
Vi,Vj are consistent
w=w1... wn
Prover Verifier
![Page 13: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/13.jpg)
Analysis
• Soundness: Suppose R(x,w)=0 for all weither (1) V1,...,Vn consistent with protocol or (2) V1,...,Vn not consistent with
commit to views V1,...,Vn
random i,j
open views Vi, Vj
accept iff output=1 &
Vi,Vj are consistent
w=w1... wn
(2) for some (i,j), Vi,Vj are inconsistent
verifier rejects with prob. n2
(1) outputs=0 (perfect correctness) verifier rejects
In fact, proof of knowledge
Prover Verifier
![Page 14: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/14.jpg)
Analysis
commit to views V1,...,Vn
random i,j
open views Vi, Vj
accept iff output=1 &
Vi,Vj are consistent
w=w1... wn
Communication complexity: (comm. complexity + rand. complexity + input size) of
VerifierProver
![Page 15: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/15.jpg)
ZKBoo: Faster Zero-Knowledge for Boolean Circuits [GMO16]
Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives (ZKB++) [CDGORRSZ17]
![Page 16: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/16.jpg)
Zero-Knowledge from 3-Party GMW [IKOS07,GMO16]
Prover Verifierw=w1 w2 w3
P1
P2
P3
w1 w2
w3
V1
V2
V3
viewsOT
commit to views V1,V2,V3
random i,j
open views Vi, Vj
w
accept iff output=1 &
Vi,Vj are consistentsoundness error 2/3
Use 3-party GMW protocol OT for g(x; w1,w2,w3) = R(x, w1 w2 w3)
![Page 17: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/17.jpg)
Extensions
• Variant 1: Use 1-secure MPC• Commit to views of parties + channels• Open one view and incident channels
• Variant 2: Directly get 2-k soundness error via security in malicious model• n=O(k) parties• (n)-security with abort• Broadcast is “free”
• Handle MPC with error via coin-flipping
![Page 18: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/18.jpg)
1. Probabilistically Checkable Proofs (PCPs) [BFLS91,Kil92, Mic94, ALMSS98, AS98, DL08, GLR11, CMT12, BC12, DFH12,BCCT12, IMS12, Tha13, VSBW13], Interactive PCPs [KR08], Interactive Oracle PCPs [BCGT13, BCS16, RRR16, BCGRS16, BBCGGHPRSTV17,BBHR17]
2. Linear PCPs [IKO07, Gro10, GGPR13, BCIOP13, Gro10, Lip12,SMBW12, Lip13, PGHR13, BCGTV13, FLZ13, SBBPW13, Lip14, DFGK14,KPPSST14, ZPK14, CFHKKNPZ15, WSRBW15, BCTV14, BBFR15, Groth16,FFGKOP16, BFS16, BISW17, GM17,BBBPWM18]
3. Interactive Proofs (IP) [GKR08, ZGKPP17-18, WTSTW18]
4. Multiparty Computation (MPC) [IKOS07, GMO16, CDGORRSZ17, AHIV17,KKW18]
No setupHigh prover’s complexity
Short ProofsFast Verification
Heavy Public-Key Crypto Trusted Setup
Quantum Insecure
Prior Approaches to “Practical” ZK
No setupModerate Public-Key Crypto
No SetupFast Prover
Post Quantum SecureEverything Linear
![Page 19: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/19.jpg)
Ligero: Lightweight Sublinear Arguments Without a Trusted Setup [AHIV17]
![Page 20: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/20.jpg)
High level approach: use MPC in the head [IKOS07]• Transform Honest-majority MPC to ZK• Optimized and implemented in [GMO16,CDGORRSZ17]
Can the communication be sublinear? Communication complexity of (i.t.) MPC > circuit size
Key insight: Communication per party can be sublinear [DI06,IPS09]
High-Level Overview
![Page 21: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/21.jpg)
High level approach: use MPC in the head [IKOS07]• Transform Honest-majority MPC to ZK• Optimized and implemented in [GMO16,CDGORRSZ17]
Can the communication be sublinear? Communication complexity of (i.t.) MPC > circuit size
Key insight: Communication per party can be sublinear [DI06,IPS09]
High-Level Overview
MPC Interactive PCP[KR08] ZK[BCS16]
![Page 22: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/22.jpg)
Sublinear ZK arguments without trusted setupo Simple, concretely efficiento Symmetric-crypto only (eg, SHA256)o Post-quantum secure
First “sublinear” arguments for NP that avoid both complexPCP machinery and public-key crypto
First “sublinear” arguments for NP that avoid both complexPCP machinery and public-key crypto
Main Result
![Page 23: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/23.jpg)
Concretely:
o 40-bit security: comm. is 0.5 |C| kb in the Boolean case
o Can be made non-interactive via Fiat-Shamiro Can handle Boolean or arithmetic circuits
o Prover computation: Merkle Tree (O |C| leaves) +
O |C| FFT’s of O |C| evaluations
Main Result
Sublinear ZK arguments without trusted setup
![Page 24: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/24.jpg)
Eg, SHA256 certification with 40-bit security:i.e. For statement y, prover proves knowledge of x such that SHA256(x) = y
Linear PCP[Pinocchio]
ZKBoo/++[CDGORRSZ17]
Ligero
Communication ~ bytes 200 KB 34 KB
Prover time mins ~33ms 140ms
Verifier time <10ms ~38ms 60ms
Asymptotic Communication ~ bytes
Trusted Setup YES NO NO
Amortization NA NO YES
O(|C|) O( |C|)
![Page 25: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/25.jpg)
Proof Schematic
Prover Verifier
![Page 26: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/26.jpg)
![Page 27: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/27.jpg)
![Page 28: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/28.jpg)
aBoolean: X 2, AND/XORArithmetic: X 3, AND
![Page 29: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/29.jpg)
ENCODE
Prover Verifier
![Page 30: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/30.jpg)
Root( )
Prover Verifier
![Page 31: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/31.jpg)
f , f , f , …
Root( )
Prover Verifier
![Page 32: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/32.jpg)
Row-wise
Prover Verifier
f , f , f , …
Root( )
![Page 33: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/33.jpg)
Row-wise
i , i , i , …
Prover Verifier
f , f , f , …
Root( )
![Page 34: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/34.jpg)
Prover Verifier
i , i , i , …
f , f , f , …
Root( )
![Page 35: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/35.jpg)
Proof Length:O 𝐛 𝛋 · 𝐚Computation:O 𝐚 FFTs of O 𝐛
Prover Verifier
i , i , i , …
f , f , f , …
Root( )
![Page 36: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/36.jpg)
The Underlying MPC Protocol
..…
Server S1 Server S2 Server Sn
Client C
1. Input sharing phase• Sharing of extended witness• Server’s view is a matrix column
2. Local computation• Proofs of correctness
..…
![Page 37: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/37.jpg)
Pick a random t-degreepolynomial p such thatp(0) is secretDistribute p(1), …, p(n)t shares do not reveal the secretsn-t/2 modified shares do not affect
correctness
Idea 1: Shamir Secret Sharing [S79]
![Page 38: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/38.jpg)
Pick a random t+ℓ-degreepolynomial p such thatp(0), p(-1), …, p(-ℓ) are secretsDistribute p(1), …, p(n)t+ℓ shares do not reveal the secrets
Idea 1: Packed Secret Sharing [FY92]
ℓ=3
![Page 39: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/39.jpg)
Prover Verifier
Idea 2: Testing Interleaved RS Codes
![Page 40: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/40.jpg)
Prover
Idea 2: Testing Interleaved RS Codes
Verifier
Root( )
![Page 41: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/41.jpg)
Prover
Idea 2: Testing Interleaved RS Codes
Verifier
f , f , f , …
![Page 42: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/42.jpg)
z x f p x
i , i , i , …Prover
Idea 2: Testing Interleaved RS Codes
Verifier
f , f , f , …
![Page 43: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/43.jpg)
Check• z x is of degree t+ℓ• z i ∑ f p i
Prover
Idea 2: Testing Interleaved RS Codes
z x f p x
i , i , i , …
f , f , f , …
Verifier
![Page 44: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/44.jpg)
Prover Verifier
Idea 3: Testing Quadratic Constraints
![Page 45: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/45.jpg)
Prover Verifier
Idea 3: Testing Quadratic Constraints
![Page 46: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/46.jpg)
z x f p x q x r x
Prover Verifier
Idea 3: Testing Quadratic Constraints
f , f , f , …
![Page 47: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/47.jpg)
Check
z i f p i q i r i
Prover Verifier
Idea 3: Testing Quadratic Constraints
z x f p x q x r x
f , f , f , …
i , i , i , …
![Page 48: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/48.jpg)
Post-Quantum Signatures from NIZK [CDGORRSZ17,KKW18]
![Page 49: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/49.jpg)
The signature scheme:PK: y=PRFk(0k) where PRF is a block cipherSig(m): a proof for (y,k) on a challenge H(a,m)
Obtaining (Post Quantum) Signatures from NIZK
Advantages:• Based on symmetric-key primitives• Easily extendable to ring and group signatures
![Page 50: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/50.jpg)
..…
Party P1 Party Pn
High-Level Overview [KKW18]
Use MPC-in-the-head in the preprocessing model• Check consistency of preprocessing using cut-and-choose
..…Party P1 Party Pn
![Page 51: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/51.jpg)
MPC-in-the-head can be instantiated with dishonest majority protocols• Semi-honest instances for generating correlated randomness • Implies two versions of 5/3 rounds
High-Level Overview [KKW18]
..…
Party P1 Party Pn
..…Party P1 Party Pn
![Page 52: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/52.jpg)
Removing Interaction via the Fiat-Shamir Transform
Prover Verifier
a
c
z
Prover Verifier
a, z
c=H(x,a)c=H(x,a)
Analysis can be extended to any constant round
public-coin protocol and
beyond [BCS16]
![Page 53: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/53.jpg)
Scalable Transparent Proofs (STARK,Aurora)
• Proof length and round complexity scale with log |C|[BBHR18,BCRSVW18]
• Prover’s running time better in Ligero
![Page 54: Zero-Knowledge from MPC-in-the-Head: Constructions and … · 2019-02-20 · Zero-Knowledge from MPC-in-the-Head: Constructions and Applications Carmit Hazay Faculty of Engineering,](https://reader033.vdocuments.site/reader033/viewer/2022042101/5e7d73673e810f1613243fd4/html5/thumbnails/54.jpg)
54
Prover Verifier
Thank you!That’s a true
statement!