Zero Knowledge Proofs
Shared
Secret
Typical Proofs
reveal knowledge
in proving 26781 is not a prime
we reveal its factorization
Alice will convince Bob that an assertion is true
without revealing
anything in the process
Desired
Completeness
Soundness
Zero Knowledge
For all valid assertions, Verifier says "yes"
For all invalid assertions, Verifier says "no"
Verifier is convinced, but gains "zero knowledge"
Reality
Completeness
Soundness
Zero Knowledge
For all valid assertions, Verifier says "yes"
For all invalid assertions, Verifier says "no"
( with a very high probability )
Verifier is convinced, but gains "zero knowledge"
Colour blindness
analogy
Example uses
Proving
you have a preimage to a hash function
Discrete Logarithm Problem
ZkP \{(\color{red}a) : \color{blue}A = \color{blue}g^\color{red}a \}
\(\color{blue}g\) is the generator of cyclic group \(\color{blue}G\) of prime order \(\color{blue}p\)
\(\color{blue}A \in \color{blue}G \) is an arbitrary group element having discrete logarithm $$ \color{red}a = \log_\color{blue}g(\color{blue}A) $$
Interactive Protocol
ZkP \{(\color{red}a) : \color{blue}A = \color{blue}g^\color{red}a \}
\begin{matrix}
\text{Prover} && \text{Verifier}
\\
\color{red}k \leftarrow \mathbb{Z}_\color{blue}p
\\
\color{blue}r = \color{blue}g^\color{red}k & \longrightarrow &
\\
\\
& \longleftarrow & \color{blue}e \leftarrow \mathbb{Z}_\color{blue}p
\\
\\
\color{blue}s = \color{red}k + \color{red}a\color{blue}e & \longrightarrow & \text{accept if } \\ && \color{blue}r = \color{blue}g^\color{blue}s \times \color{blue}A^{-\color{blue}e}
\end{matrix}
Non Interactive Protocol
\begin{matrix}
\text{Prover} && \text{Verifier}
\\
\color{red}k \leftarrow \mathbb{Z}_\color{blue}p
\\
\color{blue}r = \color{blue}g^\color{red}k
\\
\color{blue}e \leftarrow \mathcal{H}(\color{blue}r)
\\
\color{blue}s = \color{red}k + \color{red}a\color{blue}e & \longrightarrow & \text{accept if } \\ && \color{blue}r = \color{blue}g^\color{blue}s \times \color{blue}A^{-\color{blue}e}
\end{matrix}
\( \mathcal{H} \) is function where every input is mapped to a unique output
learn more!
3 step process (NIP)
testNonInteractiveProof :: IO Bool
testNonInteractiveProof = do
let secret = 42
let a' = pointBaseMul secp256k1 secret
-- Prover
(r, k) <- commmitment
-- Prover
let e = oracle (show r)
-- Prover
let s = response k e secret
-- Verifer
pure (verify a' r e s)
3 step process (IP)
testInteractiveProof :: IO Bool
testInteractiveProof = do
let secret = 42
let a' = pointBaseMul secp256k1 secret
-- Prover
(r, k) <- commmitment
-- Verifier
e <- challange
-- Prover
let s = response k e secret
-- Verifer
pure (verify a' r e s)
Haskell or GTFO
\begin{matrix}
\color{red}k \leftarrow \mathbb{Z}_\color{blue}p
\\
\color{blue}r = \color{blue}g^\color{red}k
\end{matrix}
commmitment :: MonadRandom m => m (Point, Integer)
commmitment = do
k <- generateBetween 0 p
pure (pointBaseMul secp256k1 k, k)
\text{Prover}
\color{blue}e \leftarrow \mathbb{Z}_\color{blue}p
challange :: MonadRandom m => m Integer
challange = generateBetween 0 p
\color{blue}s = \color{red}k + \color{red}a\color{blue}e
response :: Integer -> Integer -> Integer -> Integer
response k chal secret = (k + chal*secret)
Haskell or GTFO
\begin{matrix}
\text{accept if } \\ \color{blue}r = \color{blue}g^\color{blue}s \times \color{blue}A^{\color{blue}e}
\end{matrix}
verify :: Point -> Point -> Integer -> Integer -> Bool
verify a' r e s = lhs == rhs
where
lhs = pointBaseMul secp256k1 s
rhs = pointAdd secp256k1 r (pointMul secp256k1 e a')
\text{Verifier}
Completeness
\begin{matrix}
\text{accept if } \\
\color{blue}r & = & \color{blue}g^\color{blue}s \times \color{blue}A^{\color{blue}e} \\
\color{blue}r & = & \color{blue}g^{\color{red}k+\color{red}a\color{blue}e} \times ( \color{blue}g^\color{red}k)^{\color{blue}e} \\
\color{blue}r & = & \color{blue}g^{\color{red}k}
\end{matrix}
And
Not Optimal
testAndProof :: IO (Bool, Bool)
testAndProof= do
a <- testNonInteractiveProof
b <- testNonInteractiveProof
pure (a, b)
Common
Challenge And Response
Single commitment
testAndProof' :: IO Bool
testAndProof' = do
let secretA = 42
let a' = pointBaseMul secp256k1 secretA
let secretB = 43
let b' = pointBaseMul secp256k1 secretB
-- Prover
(r, k) <- commmitment
-- Prover
let e = oracle (show r)
-- Prover
let s = (response k e secretA) + e * secretB
-- Verifer
pure (verifyAnd a' b' r e s)
verifyAnd a' b' r e s = lhs == rhs
where
lhs = pointBaseMul secp256k1 s
rhs = pointAdd secp256k1 r (pointAdd secp256k1 a b)
a = pointMul secp256k1 e a'
b = pointMul secp256k1 e b'
Equality
Title Text
testEqProof :: IO Bool
testEqProof = do
let secret = 42
let a' = pointBaseMul secp256k1 secret
let b' = pointBaseMul secp192r1 secret
-- Prover
k <- generateBetween 0 p
let rA = pointBaseMul secp256k1 k
let rB = pointBaseMul secp192r1 k
-- Prover
let e = oracle (show [rA,rB])
-- Prover
let s = (response k e secret)
-- Verifer
pure (verifyEq secp256k1 a' rA e s && verifyEq secp192r1 b' rB e s)
verifyEq :: Curve -> Point -> Point -> Integer -> Integer -> Bool
verifyEq curve a' r e s = lhs == rhs
where
lhs = pointBaseMul curve s
rhs = pointAdd curve r (pointMul curve e a')
Or
Fin.
I hope this was a
"talk about zero-knowledge” and not a
"zero-knowledge talk."
deck
By ..
deck
- 1,851