Efficient Zero-Knowledge Proofs Jens Groth University College London

Zero-knowledge proof ProverVerifier Witness  Soundness: Statement is true Zero-knowledge: Nothing but truth revealed Statement

Internet voting VoterElection authorities Enc pk (vote;r) Witness: vote, r Encryption: The vote is private Is the vote valid? The vote is valid  Soundness: The encrypted vote is valid Zero-knowledge: The vote remains secret

Multi-party computation PeggyVictor xy f(x,y) Did you follow the protocol correctly? I followed the protocol correctly Soundness: Peggy followed protocol Zero-knowledge: Peggy’s input remains secret zk proof

Signatures SignerVerifier sk = x vk = f(x) I know x and m Fiat-Shamir heuristic: If ZK proof is public coin make it non-interactive by using hash-function to compute challenges Sign sk (m)

Statements Statements of the form x  L –L is an NP-language –Prover’s witness is w such that (x,w)  R L Examples –The plaintext of c using public key pk is m Witness is r such that c = Enc pk (m;r) –The circuit C is satisfiable Witness w input to circuit such that C(w)=1 Circuit Satisfiability is an NP-complete language

Interactive proof system for L Efficient interactive algorithms P, V –The prover algorithm P takes as initial input a statement x and a witness w such that (x,w)  R L –The verifier algorithm V takes as initial input a statement x P and V interact and afterwards V returns a bit b –b = 1 corresponds to accept –b = 0 corresponds to reject Completeness: –Honest P on (x,w)  R L always makes honest V accept

Soundness Soundness: Pr[ x  L and b=1]  0 Adversary Verifier xLxL b

Proof or argument Proof (statistical/perfect soundness): –(P,V) is a proof system for L if an unbounded adversary has negligible chance of convincing the verifier on a false statement Argument (computational soundness): –(P,V) is an argument system for L if a non-uniform polynomial time adversary has negligible chance of convincing the verifier on a false statement

Zero-knowledge Zero-knowledge: –The proof only reveals the statement is true, it does not reveal anything else Defined by simulation: –The adversary can simulate the proof without knowing the prover’s witness xLxL xLxL

Efficiency Parameters –Communication –Verifier computation –Prover computation –Number of rounds of interaction Fiat-Shamir heuristic: Public coin protocol where verifier just sends random challenges. Can replace verifier with cryptographic hash-function Gives non-interactive protocol that may be verified many times.

Our goal Sublinear communication Linear computation for verifier Quasi-linear computation for prover Constant round complexity Cannot leak many bits about witness. Zero-knowledge easy. Must convince verifier using less bits than the witness. Soundness hard.

Example Language L = {(p,G,G,H,U,V) |  w: U=G w,V=H w } –G is a prime order p group, G,H,U,V  G ProverVerifier A=G r, B=H r x f  wx+r Accept if U x A = G f V x B = H f Completeness: U x A = (G w ) x G r = G wx+r = G f V x B = (H w ) x H r = H wx+r = H f So verifier accepts Soundness: U x A = (G u ) x G a = G ux+a = G f V x B = (H v ) x H b = H vx+b = H f So ux+a  vx+b, which is very unlikely for a randomly chosen x unless u = v and a = b It is not zero-knowledge It is special honest verifier zero-knowledge: Given x in advance simulate by picking f at random and computing A=G f U -x, B=H f V -x A, B f

Batch proofs Language L = {(p,G,G,H,U 1,V 1,…,U n,V n ) |  w 1,…,w n : U 1 =G w 1,V 1 =H w 1,…,U n =G w n,V n =H w n } ProverVerifier A=G r, B=H r x f  r+  w i x i Accept if A  U i x i = G f B  V i x i = H f A, B f Soundness: A  U i x i = G a  (G u i ) x i = G a+  u i x i = G f B  V i x i = H b  (H v i ) x i = H b+  v i x i = H f So a+  u i x i  b+  v i x i, which is very unlikely for a randomly chosen x unless a = b and u i = v i

Schwartz-Zippel lemma Given two different polynomials p(X)  q(X) in Z p [X] of degree n, the chance over random x  Z p that p(x)=q(x) is at most n/p In our batch proof, the probability of a+  u i x i  b+  v i x i is at most n/p for random x unless a = b and u i = v i

Pedersen commitment Commitment key ck = (p,G,G,H) Commit(a;r) = G a H r where r  Z p Opening of commitment C is (a,r) such that C=G a H r Computationally binding: –Cannot find a  b, r,s such that G a H r = G b H s Perfectly hiding: –No matter what a is we get random group element C

Generalized Pedersen commitment Commitment key ck = (p,G,G 1,…,G n,H) Commit(a 1,…,a n ;r) = H r  G i a i where r  Z p Computationally binding: –Cannot find (a 1,…,a n,r)  (b 1,…,b n,s) for same C Perfectly hiding: –For all (a 1,…,a n ) we get random group element C

Generalized Pedersen commitment Commit(a 1,…,a n ;r) = H r  G i a i where r  Z p Length-reducing: –A single group element even for large vectors (a 1,…,a n ) Homomorphic: Commit(a 1,…,a n ;r) ∙ Commit(b 1,…,b n ;s) =Commit(a 1 +b 1,…,a n +b n ;r+s)

Identical committed matrices A=B A 1 =commit(a 1 ;r 1 ) … A m =commit(a m ;r n ) B 1 =commit(b 1 ;s 1 ) … B m =commit(b m ;s n ) ProverVerifier C,D x f,r,s Accept if C  A i x i =com(f;r) D  B i x i =com(f;s) Soundness: C  A i x i = com(t+  a i x i ;r) = com(f;r) D  B i x i = com(t’+  b i x i ;s) = com(f;s) So t+  a i x i = t’+  b i x i, which is very unlikely for a randomly chosen x unless a i =b i and hence A=B Completeness: C=commit(t;r 0 ), D=commit(t;s 0 ) f=t+  a i x i, r=r 0 +  r i x i, s=s 0 +  s i x i

Efficiency Communication: 2m+n group and field elements Verifier computes: 2m exponentiations Prover computes: 2mn exponentiations Rounds: 3 Compare to O(mn) complexity using standard Pedersen commitments and no batching

Circuit Satisfiability General: NP-complete Model: Resembles real computation Benchmark: Widely used in ZK proofs NAND a1a1 b1b1 b2b2 1 a2a2

Standard zero-knowledge argument for CSAT Prove committed a 1,a 2,b 1,b 2  {0,1} Prove committed a 2 =  (a 1  b 1 ), 1=  (a 2  b 2 ) Total cost for N-gate circuit: –O(N) group and field elements –O(N) exponentiations for both prover and verifier NAND Commit(a 1 ;r 1 ) Commit(b 2 ;s 2 ) Commit(b 1 ;s 1 ) Commit(a 2 ;r 2 ) Commit(1;0) Committed a,b,c such that c=  (a  b) Homomorphic property gives 1-c Multiplication proof for 1-c=ab Cost O(1) group and field elements O(1) exponentiations for prover O(1) exponentiations for verifier Committed a  {0,1} Multiplication proof for a ∙ a=a Cost O(1) group and field elements O(1) exponentiations for prover O(1) exponentiations for verifier

Batch proof for Circuit Satisfiability Commit(a 1,a 2 ;r), Commit(b 1,b 2 ;s) Batch proof for a 1,a 2,b 1,b 2  {0,1} Batch proof for a 2 =  (a 1  b 1 ), 1=  (a 2  b 2 ) Total cost for N-gate circuit: –O(  N) group and field elements –O(N) multiplications for both prover and verifier NAND a1a1 a2a2 b1b1 b2b2

Batched commitment to wires of circuit Public commitment key (p,G,H,G 1,…,G n ) Commit to a 1,…,a N, where N=mn, as A 1 = Commit(a 11,…,a 1n ;r 1 ) … A m = Commit(a m1,…,a mn ;r m ) Cost of committing to N=mn field elements –Commitment key has n group elements –There are m commitments –Batched openings contain n field elements –Setting m=n the cost is O(  N) group and field elements

Batch argument for committed wires being 0/1 Want to show Commit(a 11,…,a 1n ;r 1 ) …satisfy a ij  {0,1} Commit(a m1,…,a mn ;r m ) Equivalent to showing a ij (a ij -1)=0 Define b ij =a ij -1 and s i =r i and compute Commit(b 11,…,b 1n ;s 1 ) = Commit(a 1 ;r 1 ) Commit(-1;0) … Commit(b m1,…,b mn ;s m )=Commit(a m ;r m )Commit(-1;0) Now need to show a ij b ij =0

Batch product argument Want to show a ij b ij =0 for committed values Commit(a 11,…,a 1n ;r 1 ) Commit(b 11,…,b 1n ;s 1 ) … Commit(a m1,…,a mn ;r m ) Commit(b m1,…,b mn ;s m ) Let verifier pick random y,z  Z p Will demonstrate  i  j y i a ij b ij z j =0 Schwartz-Zippel tells us unless for all i,j: a ij b ij =0 negligible probability this is true

Simplifying the batch product argument Given y,z prover will demonstrate  i  j y i a ij b ij z j =0 for commitments Commit(a i1,…,a in ;r i )Commit(b i1,…,b in ;s i ) Defining (u 1,…,u n )  (v 1,…,v n )=  j u j v j z j the prover’s task is to demonstrate  i y i a i  b i =0 Using the homomorphic property we have Commit(y i a i ;y i r i ) = Commit(a i ;r i ) y i This simplifies reduces the prover’s task to show Commit(a i ’;r i ’)Commit(b i ;s i ) contains values that satisfy  i a i ’  b i =0

Idea behind batch ZK argument b 1 b 2 b 3 a 1 a 1  b 1 a 1  b 2 a 1  b 3 a 2 a 2  b 1 a 2  b 2 a 2  b 3 a 3 a 3  b 1 a 3  b 2 a 3  b 3 a1b1+a2b2+a3b3a1b1+a2b2+a3b3

Idea behind batch ZK argument  x -1 b 1 + x -2 b 2 + x -3 b 3 x 1 a 1 a 1  b 1 x -1 a 1  b 2 x -2 a 1  b 3 + x 2 a 2 x 1 a 2  b 1 a 2  b 2 x -1 a 2  b 3 + x 3 a 3 x 2 a 3  b 1 x 1 a 3  b 2 a 3  b 3 a1b1+a2b2+a3b3a1b1+a2b2+a3b3 x -1 (a 1  b 2 +a 2  b 3 ) x -2 (a 1  b 3 ) x1(a2b1+a3b2)x1(a2b1+a3b2) x2(a3b1)x2(a3b1)

Main part of the batch product argument Given commitments and weighted inner product  Commit(a 1 ;r 1 )Commit(b 1 ;s 1 ) …… Commit(a m ;r m )Commit(b m ;s m ) show they contain values that satisfy  i a i  b i =0 Prover sends commitments C -m,…,C -1,C 1,…,C m C k = Commit(c k ;t k )c k =  i-j=k a i  b j Verifier sends random challenge x  Z p * Prover gives zero-knowledge argument for (  x i a i )  (  x -j b j ) =  x k c k Use homomorphic properties to compute A =  A i x i = Commit(  x i a i ;  x i r i ) B =  B j x -j = Commit(  x -j b j ;  x -j s j ) C =  C k x k = Commit(  x k c k ;  x k t k ) The final ZK argument costs O(n) field elements and O(n) exponentiations for prover and verifier Soundness: Look at coefficient for x 0. The equation gives  i-j=0 x i-j a i  b j =  i a i  b i = c 0 = 0 By the Schwartz-Zippel lemma negligible probability over x for this being true unless  i a i  b i = 0 as we wanted to show

Total batch proof Goal: Prove N=mn committed a ij  {0,1} Method: a ij b ij =0where b ij =a ij -1 –Verifier sends challenges y,z –Prover sends C -m,…,C -1,C 1,…,C m –Verifier sends challenge x –Prover argues A,B,C contains a j,b j,c j such that a j b j =c j Cost: –Communicates O(m+n) group and field elements –Verifier uses O(m+n) exponentiations

Prover’s computation b 1 b 2 b 3 a 1 a 1  b 1 a 1  b 2 a 1  b 3 a 2 a 2  b 1 a 2  b 2 a 2  b 3 a 3 a 3  b 1 a 3  b 2 a 3  b 3 a1b2+a2b3a1b2+a2b3 a1b3a1b3 a2b1+a3b2a2b1+a3b2 a3b1a3b1 Naively m 2 n multiplications Instead evaluate in 2m points  1,...,  2m and use polynomial interpolation to find coefficients of (  a i  i )(  b j  -j ) =  c k  k Using FFT to evaluate  a i  i and  b j  -j the cost is O(N log m)

Batch proof for Circuit Satisfiability Commit(a 1,a 2 ;r), Commit(b 1,b 2 ;s) Batch proof for a 1,a 2,b 1,b 2  {0,1} Batch proof for a 2 =  (a 1  b 1 ), 1=  (a 2  b 2 ) Batch wire consistency proof NAND a1a1 a2a2 b1b1 b2b2

Wire consistency (sketch) Committed outputs of gates a i matching inputs b i to other gates in circuit Given permutation  defined by circuit wiring prover wants to show b i = a  (i) Verifier picks random challenge x Prover demonstrates  x i b i =  x  (i) a  (i) Cost: –Communication: O(m+n) elements –Verifier computation: O(N) multiplications –Prover computation: O(N log N) multiplications

Cost for N-gate circuit Standard argument –O(N) elements –O(N) verifier expos –O(N) prover expos –3 rounds Batch argument –O(  N) elements –O(N) verifier mults –O(N log N) prover mults –5 rounds

Further developments Can they be even more efficient? Yes, pairing-based techniques gives us communication of O(N 1/3 ) elements Can they be combined with group elements? Yes

Efficient ZK arguments over fields & groups Can do addition using homomorphic properties Can use our techniques to show multiplicative relationship between committed values Gives us linear algebra over committed elements –For instance committed matrices satisfy AB=C Statements involving group elements and exponentiations –For instance C=  i  j A ij b ij

Intuition x -1 b 1 + x -2 b 2 + x -3 b 3 A 1 x 1 A 1 b 1 A 1 x -1 b 2 A 1 x -2 b 3 ∙ A 2 x 2 A 2 x 1 b 1 A 2 b 2 A 2 x -1 b 3 ∙ A 3 x 3 A 3 x 2 b 1 A 3 x 1 b 2 A 3 b 3 A 1 x -2 b 3 A 1 x -1 b 2 ∙ A 2 x -1 b 3 A 2 x 1 b 1 ∙ A 3 x 1 b 2 A 1 b 1 ∙ A 2 b 2 ∙ A 3 b 3 A 3 x 2 b 1

Application to mix-nets m π (1) m π (2) m π (N) … π1π1 π2π2 π = π 1  π 2 m1m1 m2m2 mNmN Threshold decryption

Problem: Corrupt mix-server m π (1) m π (2) m´ π (N) … π1π1 π2π2 π = π 1  π 2 m1m1 m2m2 mNmN Threshold decryption

Mix-server gets input ciphertexts c 1,…,c N Permutes and rerandomizes ciphertexts c 1 ’=c  (1) ∙ (G r 1,H r 1 ), …, c N ’=c  (N) ∙ (G r N,H r N ) Zero-knowledge argument for correct shuffle –Joint work with Stephanie Bayer, UCL –Communication: 16  N elements –Verifier computation: 4N exponentiations –Prover computation: O(N log N) exponentiations –Rounds:9 ElGamal shuffle Statement (c 1,c 1 ’,...,c N,c N ’) can be huge. For instance election with 100,000 voters. Experimental results for N=100,000 N=mn, where m=16, |p|=1024, |q|=160 Communication: 2.5 MB Verifier computation: 52 seconds Prover computation: 135 seconds

Vision Zero-knowledge proofs should be the cheapest component in cryptographic protocols –Something you can just throw in automatically without significant overhead Thank you!