Zero Knowledge Proofs

Shared
Secret

Typical Proofs

reveal knowledge

in proving 26781 is not a prime

we reveal its factorization

Alice will convince Bob that an assertion is true
without revealing
anything in the process

Desired

Completeness
Soundness
Zero Knowledge

For all valid assertions, Verifier says "yes"

For all invalid assertions, Verifier says "no"

Verifier is convinced, but gains "zero knowledge"

Reality

Completeness
Soundness
Zero Knowledge

For all valid assertions, Verifier says "yes"

For all invalid assertions, Verifier says "no"

( with a very high probability )

Verifier is convinced, but gains "zero knowledge"

Colour blindness

analogy

Example uses

Proving
you have a preimage to a hash function

Discrete Logarithm Problem

ZkP \{(\color{red}a) : \color{blue}A = \color{blue}g^\color{red}a \}

\(\color{blue}g\) is the generator of cyclic group \(\color{blue}G\) of prime order \(\color{blue}p\)

\(\color{blue}A \in \color{blue}G \) is an arbitrary group element having discrete logarithm $$ \color{red}a = \log_\color{blue}g(\color{blue}A) $$

Interactive Protocol

ZkP \{(\color{red}a) : \color{blue}A = \color{blue}g^\color{red}a \}
\begin{matrix} \text{Prover} && \text{Verifier} \\ \color{red}k \leftarrow \mathbb{Z}_\color{blue}p \\ \color{blue}r = \color{blue}g^\color{red}k & \longrightarrow & \\ \\ & \longleftarrow & \color{blue}e \leftarrow \mathbb{Z}_\color{blue}p \\ \\ \color{blue}s = \color{red}k + \color{red}a\color{blue}e & \longrightarrow & \text{accept if } \\ && \color{blue}r = \color{blue}g^\color{blue}s \times \color{blue}A^{-\color{blue}e} \end{matrix}

Non Interactive Protocol

\begin{matrix} \text{Prover} && \text{Verifier} \\ \color{red}k \leftarrow \mathbb{Z}_\color{blue}p \\ \color{blue}r = \color{blue}g^\color{red}k \\ \color{blue}e \leftarrow \mathcal{H}(\color{blue}r) \\ \color{blue}s = \color{red}k + \color{red}a\color{blue}e & \longrightarrow & \text{accept if } \\ && \color{blue}r = \color{blue}g^\color{blue}s \times \color{blue}A^{-\color{blue}e} \end{matrix}

\( \mathcal{H} \) is function where every input is mapped to a unique output

learn more!

3 step process (NIP)

testNonInteractiveProof :: IO Bool
testNonInteractiveProof = do
  let secret = 42
  let a' = pointBaseMul secp256k1 secret
  
  -- Prover
  (r, k) <- commmitment

  -- Prover
  let e = oracle (show r)

  -- Prover
  let s = response k e secret

  -- Verifer 
  pure (verify a' r e s)

3 step process (IP)

testInteractiveProof :: IO Bool
testInteractiveProof = do
  let secret = 42
  let a' = pointBaseMul secp256k1 secret
  
  -- Prover
  (r, k) <- commmitment

  -- Verifier
  e <- challange

  -- Prover
  let s = response k e secret

  -- Verifer 
  pure (verify a' r e s)

Haskell or GTFO

\begin{matrix} \color{red}k \leftarrow \mathbb{Z}_\color{blue}p \\ \color{blue}r = \color{blue}g^\color{red}k \end{matrix}
commmitment :: MonadRandom m => m (Point, Integer)
commmitment = do
  k <- generateBetween 0 p
  pure (pointBaseMul secp256k1 k, k)
\text{Prover}
\color{blue}e \leftarrow \mathbb{Z}_\color{blue}p
challange :: MonadRandom m => m Integer
challange = generateBetween 0 p
\color{blue}s = \color{red}k + \color{red}a\color{blue}e 
response :: Integer -> Integer -> Integer -> Integer
response k chal secret = (k + chal*secret)

Haskell or GTFO

\begin{matrix} \text{accept if } \\ \color{blue}r = \color{blue}g^\color{blue}s \times \color{blue}A^{\color{blue}e} \end{matrix}
verify :: Point -> Point -> Integer -> Integer -> Bool
verify a' r e s = lhs == rhs 
  where
    lhs = pointBaseMul secp256k1 s
    rhs = pointAdd secp256k1 r (pointMul secp256k1 e a')
\text{Verifier}

Completeness

\begin{matrix} \text{accept if } \\ \color{blue}r & = & \color{blue}g^\color{blue}s \times \color{blue}A^{\color{blue}e} \\ \color{blue}r & = & \color{blue}g^{\color{red}k+\color{red}a\color{blue}e} \times ( \color{blue}g^\color{red}k)^{\color{blue}e} \\ \color{blue}r & = & \color{blue}g^{\color{red}k} \end{matrix}

And

Not Optimal

testAndProof :: IO (Bool, Bool)
testAndProof= do
  a <- testNonInteractiveProof
  b <- testNonInteractiveProof
  pure (a, b)

Common
Challenge And Response

Single commitment


testAndProof' :: IO Bool
testAndProof' = do
  
  let secretA = 42
  let a' = pointBaseMul secp256k1 secretA
  let secretB = 43
  let b' = pointBaseMul secp256k1 secretB
  
  -- Prover
  (r, k) <- commmitment

  -- Prover
  let e = oracle (show r)

  -- Prover
  let s = (response k e secretA) + e * secretB

  -- Verifer 
  pure (verifyAnd a' b' r e s)

verifyAnd a' b' r e s = lhs == rhs
  where
    lhs = pointBaseMul secp256k1 s
    rhs = pointAdd secp256k1 r (pointAdd secp256k1 a b)
    a = pointMul secp256k1 e a'  
    b = pointMul secp256k1 e b'

Equality

Title Text

testEqProof :: IO Bool
testEqProof = do
  
  let secret = 42
  let a' = pointBaseMul secp256k1 secret
  let b' = pointBaseMul secp192r1 secret
  
  -- Prover
  k <- generateBetween 0 p
  let rA = pointBaseMul secp256k1 k
  let rB = pointBaseMul secp192r1 k

  -- Prover
  let e = oracle (show [rA,rB])

  -- Prover
  let s = (response k e secret)

  -- Verifer 
  pure (verifyEq secp256k1 a' rA e s && verifyEq secp192r1 b' rB e s)
verifyEq :: Curve -> Point -> Point -> Integer -> Integer -> Bool
verifyEq curve a' r e s = lhs == rhs 
  where
    lhs = pointBaseMul curve s
    rhs = pointAdd curve r (pointMul curve e a')

Or

Fin.

I hope this was a

"talk about zero-knowledge” and not a

"zero-knowledge talk."

deck

By ..

Made with Slides.com

deck

  • 1,835

More from ..

  • Safer APIs with Ghosts of Departed Proofs
    ..
    5290
  • Linguistics
    ..
    2057
  • Mathematical Structure
    ..
    2029