Download - Sigma Protocols and Zero Knowledge
SPB Crypto Devs Meetup
Sigma Protocols and Efficient Zero-Knowledge Proofs
Alexander ChepurnoyIOHK Research
Motivating Example
Alice publishes a commitment of a secret
Alice passes a secret to Bob
Bob wants to convince Carol he knows a secret
Motivating Example
Anonymous voting
Every vote is whether 0 or 1 encrypted
To calculate a sum, additively homomorphic encryption could be used
But how to be sure only 0 or 1 is encrypted?
Solution: a proof for each vote it is whether 0 or 1(without revealing a value!)
ZKPoKs: What For
Identification schemes
Signatures
Building block in many protocols(voting, anonymous transactions etc)
ZKPoK
Zero-Knowledge Proof of Knowledge
Prover P, Verifier V, relation R
Common input x
P proves it knows a witness w for which (x,w)R
Without revealing anything about it
In practice, often inefficient and so avoided
Properties
Completeness: a correct statement could be proven
Soundness: it's not possible to prove incorrect statements(with a non-negligible probability)
-protocol, Generically
P sends V a message a
V sends P a random t-bit string e
P sends a reply z, and V decides to accept or reject based solely on the data it has seen; i.e., based only on the values (x, a, e, z).
Theory Behind
Ivan Damgard On Sigma Protocols
Yehuda Lindell, Carmit Hazay Efficient Secure Two-Party Protocols: Techniques and Constructions (Book)
Yehuda Lindell Sigma Protocols and Zero Knowledge http://www.youtube.com/watch?v=nwsmG3S9wIc
Implementation
ScAPI(Java/JVM) - The Secure Computation API https://github.com/cryptobiu/scapi
Protocols pseudocode http://cryptobiu.github.io/scapi/SDK_Pseudocode.pdf
Example: Schnorrs protocol
-protocol for DLOG
h = gw
(p, q ,g, h) is common input
First msg(P): a = gr
Second msg(V): challenge c = random({0, 1}, t)
Third message(P): z = r + ew mod q
V checks if gz = a * he
Completeness: gz = g(r+ew) = gr * (gw)e = a * he
Schnorrs protocol
Very efficient: just 3 exponentiations
Proof-of-Knowledge protocol
Not provably Zero-Knowledge
but Honest Verifier Zero-Knowledge
error 2-t
Proof of Membership
(x;w) L
x is set
Example: Diffie-Hellman tuple
Common input: (G,q,g,h,u,v,t)
P knows w such as u = gw, v = hw
P sends out a = gr, b = hr
V sends out a challenge c = random({0, 1}, t)
P sends out z = r + ew mod q
V checks if gz = a*ue, hz = b * ve
Run Properties
Parallel execution: l parallel runs with challenge of size t is equivalent to run protocols with challenge of size l*t
Challenge could be of arbitrary size
Compound Statements
AND
OR
AND Statement
Just run two protocols in parallel for (a1, a2) and the same e
OR Statement
Prove one of two statements is true without revealing which
Based on simulation for a statement witness isn't known for
Compound Statements
OR of many statements (k out of n) is possible
Any monotone formula, so any combination of ANDs and ORs without a negation, is possible
Commitment Scheme
Commit phase
Reveal phase
hash (secret ++ blinding factor)
Pedersen commitment: c = gx * hr
Zero Knowledge From -protocol
Verifier needs to commit a challenge in prior to a fist message from a Prover
With the commitment being added, a -protocol becomes provably Zero-Knowledge (details in the book of Lindell / Hazay)
Zero Knowledge From -protocol
-protocol
V chooses a random t-bit challenge e and interacts with P via the commitment protocol in order to commit to e
P computes the first message a in , using (x, w) as input, and sends it to V
V reveals e to P by decommitting
P verifies the decommitment, computes the answer z in , and sends z to V
V accepts if and only if transcript (a, e, z) is accepting in on input x
Commitment From -protocol
Verifier = receiver
Prover = sender
Set-up: V generates (x; w), sends x to P
Commit: to commit to a t-bit string e. P runs simulator on (x, e) to get (a, e, z) and sends a to V
Open: to reveal the commitment, P sends (e, z) to V, V checks (a, e, z)
Non-Interactive -protocol
No interaction, no Verifier
w. public Random Oracle
e = R(a)
not provably secure
Signature From -protocol
(x; w)
public key x
private key w
message m
e = R(a++m)
(a, z) is a signature
as hard to break as to compute w from x (in ROM)
Conclusion
One template for many protocols
Highly efficient
Composable
Provably secure
Makes things easier
Crypto is HARD anyway...
Questions?
Twitter: @chepurnoyMail: [email protected]