preon: digital signature from zk-SNARK

The preon team

Team

• Hon Hai Research Institute
  • Yu-Shian Chen & Wei-Bin Lee
• BTQ
  • Shiuan Fu, Wei-Chih Hong, Jen-Hsuan Hsiang, Sheng-Te Hu, & Po-Chun Kuo
• Academia Sinica
  • Ming-Shing Chen & Bo-Yin Yang (TBC)
• Feng-Hao Liu, Washington State University
• Justin Thaler, Georgetown University
• Eylon Yogev, Bar-Ilan University
• Chen-Mou Cheng, Chang Gung University

Outline

• NIST PQC
• preon
• zk-SNARK: an anatomy
  • Commitment
  • I(O)P & ZKP
    • Schnorr's ZKP for DLP
  • Aurora

preon: under the hood

• preon \( \approx \) Aurora + AES
  • Aurora: post-quantum zk-SNARK (to be detailed)
  • AES as one-way function
    • Public key is the ciphertext of encrypting a random plaintext using private key
• Optimization: replace prime field with binary field
  • 14240 \( \rightarrow \) 3440 constraints
  • 4x speedup, with additional 2\( \text{--} \)3x via AFFT
  • About 20% smaller signature

preon+: performance

Where we are & to go

• preon accepted by NIST as complete & proper
  • Preliminary security analysis shows even Aggressive (A) meets NIST's requirement, with Balanced (B) as backup
  • preon+ incorporates Cantor basis & more efficient encoding/padding
• Future works
  • More security analysis
  • Further optimized implementations
    • Must have: CPU, GPU, FPGA
    • Nice to have: ASIC

Anatomy of zk-SNARK

Serialization via commitment

(How to play rock-paper-scissors over internet)

• Cryptographic commitment
  • Commit: \( c=\text{commit}(r,m) \)
  • Verify: \( \text{verify}\Big(r,m,c\Big)? \)
• Security properties
  • Hiding: difficult to find \( m \) given \( c=\text{commit}\left(r,m\right) \)
  • Binding: difficult to find \( r',m'\neq m \) s.t. \( \text{verify}\Big(r',m',\text{commit}(r,m)\Big) \)

Proving \( x\in X \) via Merkle tree

Interactive (oracle) proof

• IP allows Prover P to prove Statement S to (computationally bounded) Verifier V via dialogue
  • Completeness: If S is true, then V should be convinced with probability 1
  • Soundness: If S is false, then V should be convinced with a (very) small probability
• Example (trivial): NP \( \subset \) IP
• IOP: dialogue consists of probabilistically checkable proofs, implemented by e.g. functional commitment

Zero-knowledge IP

• V learns nothing beyond S is true
  • Consider special S: \( y=f(x,\color{red}w\color{black}) \)
  • Can simulate the dialogues without knowing \(\color{red}w\color{black}\)
• Example: Blind V with two colored balls

Toy example

• Prover: "I know integers \( \color{red}p\color{black},\color{red}q\color{black} \) s.t. \( n=\color{red}pq\color{black} \)"
• Prover commits to three polynomial functions: \[ \color{red}r_p\color{black}X+\color{red}p\color{black},\color{red}r_q\color{black}X+\color{red}q\color{black},\text{ and }\color{red}r_pr_q\color{black}X^2+(\color{red}r_pq\color{black}+\color{red}pr_q\color{black})X+n \]
• Verifier challenges Prover with random \( r \) and checks whether \( (\color{red}r_p\color{black}r+\color{red}p\color{black})(\color{red}r_q\color{black}r+\color{red}q\color{black})\stackrel{?}{=}\color{red}r_pr_q\color{black}r^2+(\color{red}r_pq\color{black}+\color{red}pr_q\color{black})r+n \)
• Lemma [Schwartz-Zippel] \[ \text{Pr}_{r\in k}\Big(f(r)=g(r)\Big)\leq\frac{d}{|k|}\text{ for }f\neq g\text{ with }\deg f,\deg g\leq d \]

zk-SNARK

• Consider special zk-NARK:
  • Proof \( \pi \) proves P knows a \( \color{red}w\color{black} \) s.t. \( y=f(x,\color{red}w\color{black}) \)
  • If \( \pi \) is "small" compared with \( f \), e.g., \( |\pi|=O(\log|f|) \), then we say it is succinct, or zk-SNARK
• Questions
  • What can we do with a zk-SNARK?
  • How to "compress" \( \pi \)?
  • How to encode (interesting) \( f \)?

zk-SNARKing C2PA

• Coalition for Content Provenance and Authenticity
  • Camera signs all photos taken: \( s=\text{sign}(p) \)
  • Publisher/consumer verifies: \( \text{verify}(p,s)? \)
• What if \( p'=f(p) \) where \( f \) crops, resizes, rotates, ... \( p \)?
  • \( \pi \): "I know \( \color{red}p\color{black},\color{red}s\color{black} \) s.t. \( \text{verify}(\color{red}p\color{black},\color{red}s\color{black}) \) & \( p'=f(\color{red}p\color{black}) \)"
  • For zk-SNARKs, \( |\pi|\ll |f|=\mathcal O(|p|) \)

Recipe: RS-encoded IOP

• Think of \( v\in V \) as a function \( H\rightarrow F_q \) for \( |H|=\dim V \)
• Encode \( v \) as \( f_v \) via Lagrange interpolation
  • \( f_v(X)=r(X)+q(X)\prod_{h\in H}(X-h) \)
  • S.t. \( \forall h\in H,r(h)=v(h) \)
• V can now query \( f_v(x) \) for some \( x\in L \)
  • Intuition: ZK if \( H\cap L=\varnothing \) and \( \deg q \) is large enough
• (FRI) low-degree test: Check if \( \deg f_v \) is small enough

Aurora

• Encode \( y=f(x,\color{red}w\color{black}) \) into R1CS: \( Az\odot Bz=Cz \), where:
  • \( A,B,C \) are matrices depending on \( f \)
  • \( z=\begin{bmatrix} 1 & u & \color{red}w\color{black} & x & y \end{bmatrix}^T \)
  • \( u \) is auxiliary variables
• Lincheck RS-encoded IOP: \( y_A=Az, y_B=Bz, y_C=Cz \)
• Rowcheck RS-encoded IOP: \( y_A\odot y_B=y_C \)

Expressiveness of R1CS

\[ y=x^3: \boxed{\begin{aligned} x\cdot x & =u \\ u\cdot x & =y \end{aligned}} \]

\[ 0\leq x<8: \boxed{\begin{aligned} 1\cdot(x_0+2x_1+4x_2) & =x \\ x_0\cdot x_0 & =x_0 \\ x_1\cdot x_1 & =x_1 \\ x_2\cdot x_2 & =x_2 \end{aligned}} \]

\(r=\) if \(b\) then \(t\) else \(f\): \[ \boxed{\begin{aligned} (t-f)\cdot b & =r-f \\ b\cdot b & =b \end{aligned}} \]

Got DSL? 

• Cairo (zk-STARK)
• Circom (HDL)
• Leo
• Lurk
• Noir
• PIL
• ZoKrates
• Keelung, a zkDSL embedded in Haskell

Thank you!

Questions or comments?