linear algebra with sub-linear zero-knowledge arguments
DESCRIPTION
Linear Algebra with Sub-linear Zero-Knowledge Arguments. Jens Groth University College London. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A A A A A A A A. Motivation . Why does Victor want to know my password, bank statement, etc.?. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/1.jpg)
Linear Algebra with Sub-linear Zero-Knowledge Arguments
Jens GrothUniversity College London
![Page 2: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/2.jpg)
Motivation
Peggy Victor
Why does Victor want to know my password,
bank statement, etc.?
Did Peggy honestly follow the protocol?Show me all your
inputs! No!
![Page 3: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/3.jpg)
Zero-knowledge argument
Statement
Prover Verifier
Witness
Soundness:Statement is true
Zero-knowledge:Nothing but truth revealed
![Page 4: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/4.jpg)
Statements
• Mathematical theorem: 2+2=4• Identification: I am me!• Verification: I followed the protocol correctly.
• Anything: X belongs to NP-language L
![Page 5: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/5.jpg)
Our contribution
• Perfect completeness• Perfect (honest verifier) zero-knowledge• Computational soundness
– Discrete logarithm problem• Efficient
Rounds Communication Prover comp. Verifier comp.O(1) O(√N) group elements ω(N) expos/mults O(N) mults
O(log N) O(√N) group elements O(N) expos/mults O(N) mults
![Page 6: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/6.jpg)
Which NP-language L?
George theGeneralist
Sarah theSpecialist
Circuit Satisfiability! Anonymous Proxy Group Voting!
![Page 7: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/7.jpg)
Linear algebra
George theGeneralist
Sarah theSpecialist
Great, it is NP-complete
If I store votes as
vectors and add them...
![Page 8: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/8.jpg)
Statements
Rounds Communication Prover comp. Verifier comp.O(1) O(n) group elements ω(n2) expos O(n2) mults
O(log n) O(n) group elements O(n2) expos O(n2) mults
![Page 9: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/9.jpg)
Levels of statements
Circuit satisfiability
Known
![Page 10: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/10.jpg)
Reduction 1
Circuit satisfiability
See paper
![Page 11: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/11.jpg)
Reduction 2
Example:
![Page 12: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/12.jpg)
commit
Reduction 3
Peggy Victor
![Page 13: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/13.jpg)
Pedersen commitment
• Computationally binding– Discrete logarithm hard
• Perfectly hiding• Only 1 group element to commit to n elements• Only n group elements to
commit to n rows of matrix
Computational soundness
Perfect zero-knowledge
Sub-linear size
![Page 14: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/14.jpg)
Pedersen commitment
• Homomorphic
• So
![Page 15: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/15.jpg)
Example of reduction 3
commit
![Page 16: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/16.jpg)
Reduction 4
commit
![Page 17: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/17.jpg)
Product
![Page 18: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/18.jpg)
Example of reduction 4
• Statement: Commitments to• Peggy → Victor: Commits to diagonal sums• Peggy ← Victor: Challenge• New statement:
Soundness:For the sm parts to match for random s it must be that
![Page 19: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/19.jpg)
Reducing prover’s computation
• Computing diagonal sums requires ω(mn) multiplications
• With 2log m rounds prover only uses O(mn) multiplications
Rounds Comm. Prover comp. Verifier comp.
2 2m group m2n mult 4m expo
2log m 2log m group 4mn mult 2m expo
![Page 20: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/20.jpg)
Basic step
Known
Rounds Communication Prover comp. Verifier comp.
3 2n elements 2n expos n expos
![Page 21: Linear Algebra with Sub-linear Zero-Knowledge Arguments](https://reader035.vdocuments.mx/reader035/viewer/2022062410/56815d66550346895dcb6ebb/html5/thumbnails/21.jpg)
ConclusionRounds Comm. Prover comp. Verifier comp.
3 2n group 2n expo n expo
5 2n+2m group m2n mult 4m+n expo
2log m+3 2n group 4mn mult 2m+n expo
Upper triangular 6 4n group n3 add 5n expo
Upper triangular 2log n+4 2n group 6n2 mult 3n expo
Arithmetic circuit 7 O(√N) group O(N√N) mult O(N) mult
Arithmetic circuit log N + 5 O(√N) group O(N) expo O(N) mult
Binary circuit 7 O(√N) group O(N√N) add O(N) mult
Binary circuit log N + 5 O(√N) group O(N) mult O(N) mult