Implementing a Zero Knowledge Proof

Slide 1

Slide 1 text

1 Cathie Yun @cathieyun C r y p t o V i l l a g e - D E F C O N 2 0 1 9 Implementing a Zero Knowledge Proof or, How to Write Bulletproofs in Rust

Slide 2

Slide 2 text

The story Motivation Understanding the paper Tools of the trade 2 1 2 3 4 5 The code Range proof Rust tricks Above and beyond 6

Slide 3

Slide 3 text

The story Motivation Understanding the paper Tools of the trade 3 1 2 3 4 5 The code Range proof Rust tricks Above and beyond 6

Slide 4

Slide 4 text

Why do we care about   zero knowledge proofs? 4

Slide 5

Slide 5 text

Non-confidential transaction 5 5 4 3 6 INPUTS OUTPUTS 5 + 4 3 + 6

Slide 6

Slide 6 text

Confidential transaction (broken) 6 A = Com(5) B = Com(4) C = Com(3) D = Com(6) INPUTS OUTPUTS A + B C + D Additively homomorphic commitment

Slide 7

Slide 7 text

Confidential transaction (broken) 7 A = Com(5) B = Com(4) C = Com(-1) D = Com(10) INPUTS OUTPUTS A + B C + D OH NO!!!  integer underflow!

Slide 8

Slide 8 text

Confidential transaction 8 A = Com(5) B = Com(4) C = Com(3) proof(C) D = Com(6) proof(D) INPUTS OUTPUTS A + B C + D ZK proof that amount is in range

Slide 9

Slide 9 text

Why do we care about  Bulletproofs? 9

Slide 10

Slide 10 text

Blockchains & Bulletproofs 10 Bulletproofs provide O(log(N)) proof sizes,  less than 1 Kb for most cases. Fast verification with Ristretto and AVX2;  scales well via batching and aggregation. No trusted setup -  cheap on-the-fly initialization of verification circuit Blockchain requirement Constrained proof size  (all nodes must receive and verify proofs) Fast verification   (low latency - all verifiers must sync quickly) Ad hoc logic  (different value flows,  custom smart contracts)

Slide 11

Slide 11 text

The story Motivation Understanding the paper Tools of the trade 11 1 2 3 4 5 The code Range proof Rust tricks Above and beyond 6

Slide 12

Slide 12 text

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Slide 15

Slide 15 text

15 https://doc-internal.dalek.rs/bulletproofs/notes/range_proof/index.html

Slide 16

Slide 16 text

16 Bulletproof building block: inner products Σ = c = x x x x a b a0 a1 a2 … an-1 b0 b1 b2 … bn-1 We can make a proof that c =   in size and O(log(n)) instead of O(n). c

Slide 17

Slide 17 text

17 a b c = alo ahi blo bhi a' c' = a' = alo·x + ahi·x-1 b' = blo·x-1 + bhi·x c' = < alo·x + ahi·x-1, blo·x-1 + bhi·x > Prover gets random challenge scalar x from verifier b' The proof size is O(log(n)) instead of O(n). ... ...

Slide 18

Slide 18 text

18 Bulletproof range proofs apply  math & crypto 0≤v<2n How do we express a range as an inner product? c=⟨a,b⟩

Slide 19

Slide 19 text

Range statement → inner product 19 0 ≤ v < 2n We want to prove: If this is true, then v must be a binary number of length n. v = Σ x If v=7, n=4 0 1 1 1 23 22 21 20

Slide 20

Slide 20 text

20 0 ≤ v < 2n We want to prove: If this is true, then v must be a binary number of length n. 0 1 1 1 v = 23 22 21 20 Σ Let’s call this aL v = ⟨aL, 2n⟩ x Range statement → inner product

Slide 21

Slide 21 text

21 0 ≤ v < 2n We want to prove: We can do this by proving: 1) v = ⟨ aL, 2n⟩  2) aL ∘(aL - 1n) = 0n binary structure of v bits are actually bits (0s or 1s) Range statement → inner product

Slide 22

Slide 22 text

22 0≤v<2n c=⟨a,b⟩ Add blinding factors  Combine statements v = ⟨aL, 2n⟩  aL ∘(aL - 1n) = 0n Range statement → inner product

Slide 23

Slide 23 text

Want more details? 23 I’m giving a “Bulletproofs deep dive” talk at DEFCON too!  Sunday 8/11 at 11:45am at Monero Village The Bulletproofs paper:   https://eprint.iacr.org/2017/1066.pdf Our notes on the Bulletproofs math:  https://doc-internal.dalek.rs/bulletproofs/notes/index.html

Slide 24

Slide 24 text

The story Motivation Understanding the paper Tools of the trade 24 1 2 3 4 5 The code Range proof Rust tricks Above and beyond 6

Slide 25

Slide 25 text

We need to build: - Prime order group - Fiat-Shamir heuristic

Slide 26

Slide 26 text

Bulletproofs requires a prime-order group 26 Sounds good, but how do you actually implement this?

Slide 27

Slide 27 text

What kind of elliptic curve should we use? Weierstrass e.g. secp256k1 Edwards e.g. Curve25519, FourQ prime-order group fastest formulas complete formulas easy in constant time ✔ ✘ ✘ ✘ ✘ ✔ ✔ ✔

Slide 28

Slide 28 text

Examples of cofactor problems Ed25519 signature verification differs between single and batch verification As specified in the RFC, the set of valid signatures is not defined! Onion Service addresses in Tor had to add extra validation. Cofactor problem: 8 addresses for the same server. Monero had a critical vulnerability due to cofactors. Cofactor problem: allowed spending the same amount 8 times.

Slide 29

Slide 29 text

Decaf & Ristretto: the best of both worlds • Decaf - Mike Hamburg ’15 • Cofactor 4 reduction • Ristretto - Mike Hamburg, Henry de Valence • Cofactor 8 reduction • Curve25519 has cofactor 8 29 Decaf: https://eprint.iacr.org/2015/673.pdf  Ristretto: https://ristretto.group

Slide 30

Slide 30 text

Curve25519 is fast! • Curve25519 has cofactor 8 • Hisil, Wong, Carter, Dawson ’08 introduced   fast parallel formulas for Curve25519 • Curve25519-dalek is a fast, pure-Rust AVX2   implementation of those formulas 30 curve25519-dalek: https://doc-internal.dalek.rs/curve25519_dalek/backend/avx2/index.html  HWCD: https://www.iacr.org/archive/asiacrypt2008/53500329/53500329.pdf  Blog post: https://medium.com/@hdevalence/accelerating-edwards-curve-arithmetic-with-parallel-formulas-ac12cf5015be

Slide 31

Slide 31 text

Is this strategy fast? Yes! 31 IFMA AVX2 ristretto255: a prime-order group up to 4x faster than secp256k1.

Slide 32

Slide 32 text

The Fiat-Shamir Heuristic Converts an interactive argument into a non-interactive one. Idea: replace a verifier’s random challenges with a hash of the prover’s messages. 32 Sounds good, but how do you actually implement this?

Slide 33

Slide 33 text

Hashing data is kind of complicated! What if you forget to feed data into the hash? What if your data is ambiguously encoded in the hash? How do you handle multi-round protocols? Where do you put domain separators? … and many more edge cases. 33

Slide 34

Slide 34 text

What if there was a first-class transcript object? 34 Paper Implementation transcript.commit_point(b"L", L); transcript.commit_point(b"R", R); let x = transcript.challenge_scalar(b"x");

Slide 35

Slide 35 text

Merlin: STROBE-based transcripts for ZKPs Implement protocols as if they were interactive,  passing a transcript parameter.  Transformation is done in software, not by hand. Byte-oriented API, automatic message framing. Easy domain separation. Automatic sequential composition of proofs. 35 https://merlin.cool

Slide 36

Slide 36 text

The story Motivation Understanding the paper Tools of the trade 36 1 2 3 4 5 The code Range proof Rust tricks Above and beyond 6

Slide 37

Slide 37 text

https://github.com/  dalek-cryptography/bulletproofs 37

Slide 38

Slide 38 text

The story Motivation Understanding the paper Tools of the trade 38 1 2 3 4 5 The code Range proof Rust tricks Above and beyond 6

Slide 39

Slide 39 text

Proving 39

Slide 40

Slide 40 text

Proving: paper & code 40 page 17, lines 36-45 of the Bulletproofs paper let alpha = Scalar::random(rng); let A = h * alpha + msm(g_vec, a_L) + msm(h_vec, a_R); Pseudocode of implementation: src/range_proof/party.rs lines 84-110  and src/range_proof/dealer.rs lines 100-108

Slide 41

Slide 41 text

Proving: paper & code 41 page 17, lines 36-45 of the Bulletproofs paper let s_L = (0..n).map(|_| Scalar::random(rng).collect()); let s_R = (0..n).map(|_| Scalar::random(rng).collect()); let rho = Scalar::random(rng); let S = h * rho + msm(g_vec, s_L) + msm(h_vec, s_R); let alpha = Scalar::random(rng); let A = h * alpha + msm(g_vec, a_L) + msm(h_vec, a_R); Pseudocode of implementation: src/range_proof/party.rs lines 84-110  and src/range_proof/dealer.rs lines 100-108

Slide 42

Slide 42 text

Proving: paper & code 42 transcript.commit_point(b"A", A); transcript.commit_point(b"S", S); let y = transcript.challenge_scalar(b"y"); let z = transcript.challenge_scalar(b"z"); page 17, lines 36-45 of the Bulletproofs paper let s_L = (0..n).map(|_| Scalar::random(rng).collect()); let s_R = (0..n).map(|_| Scalar::random(rng).collect()); let rho = Scalar::random(rng); let S = h * rho + msm(g_vec, s_L) + msm(h_vec, s_R); let alpha = Scalar::random(rng); let A = h * alpha + msm(g_vec, a_L) + msm(h_vec, a_R); Pseudocode of implementation: src/range_proof/party.rs lines 84-110  and src/range_proof/dealer.rs lines 100-108

Slide 43

Slide 43 text

The story Motivation Understanding the paper Tools of the trade 43 1 2 3 4 5 The code Range proof Rust tricks Above and beyond 6

Slide 44

Slide 44 text

Session types for MPC 44

Slide 45

Slide 45 text

45 Blog post: https://blog.chain.com/bulletproof-multi-party-computation-in-rust-with-session-types-b3da6e928d5d

Slide 46

Slide 46 text

Optimizations 46

Slide 47

Slide 47 text

47 Lazy and zero-cost* • Can build up points & scalars using Rust iterators &  pass them into the multiscalar API to inline computation • Don’t have to do extra allocations or manage temporaries Rust iterators * except for build times

Slide 48

Slide 48 text

Performance of 64-bit rangeproof verification 48 IFMA 3x faster than libsecp256k1, 7x faster than Monero. 2x faster than libsecp256k1, 4.6x faster than Monero. <1 millisecond, with SIMD backends in curve25519-dalek AVX2

Slide 49

Slide 49 text

The story Motivation Understanding the paper Tools of the trade 49 1 2 3 4 5 The code Range proof Rust tricks Above and beyond 6

Slide 50

Slide 50 text

Constraint System API  for fully programmable proofs 50

Slide 51

Slide 51 text

51 Constraints Multiplicative constraint (secret-secret multiplication): x·y = z Linear constraint (secret variables with cleartext weights): a·x + b·y + c·z + ... = 0

Slide 52

Slide 52 text

Why constraint systems? A constraint system can represent  any efficiently verifiable program. A CS proof is proof that all the constraints  are satisfied by certain secret inputs. 52 https://medium.com/interstellar/programmable-constraint-systems-for-bulletproofs-365b9feb92f7 FURTHER READING

Slide 53

Slide 53 text

Cloak:  a confidential assets protocol 53

Slide 54

Slide 54 text

54 Composition of gadgets in Cloak Cloak transaction is a combination of smaller gadgets with different roles. SHUFFLE MERGE SPLIT RANGE 0/1 0/1 0/1 0/1 0/1 ? Secretly reorder N values. Secretly merge or move two values. Secretly split or move two values. Check that value is not negative.

Slide 55

Slide 55 text

55 INPUTS A B D E C F OUTPUTS SHUFFLE 1 R R R RANGE CHECK SHUFFLE 2 SHUFFLE 3 MERGE MERGE SPLIT SPLIT Only the prover knows where values are modified or moved. Observers cannot tell where values are actually split, merged or moved without modification. Cloak transaction

Slide 56

Slide 56 text

56 Randomly ordered input values are grouped by asset type. INPUTS $5 ¥3 $4 OUTPUTS SHUFFLE 1 R R R RANGE CHECK $5 ¥3 $4 $5 $4 ¥3 SHUFFLE 2 SHUFFLE 3 MERGE MERGE SPLIT SPLIT ¥3 $6 $3 Cloak walkthrough

Slide 57

Slide 57 text

57 INPUTS $5 ¥3 $4 OUTPUTS SHUFFLE 1 R R R RANGE CHECK $5 ¥3 $4 $5 $4 ¥3 SHUFFLE 2 $5 $4 $0 $9 $9 ¥3 $9 ¥3 SHUFFLE 3 MERGE MERGE SPLIT SPLIT ¥3 $6 $3 Cloak walkthrough Values of the same asset type   are fully merged together.

Slide 58

Slide 58 text

58 INPUTS $5 ¥3 $4 OUTPUTS SHUFFLE 1 R R R RANGE CHECK $5 ¥3 $4 $5 $4 ¥3 SHUFFLE 2 $0 $9 ¥3 $9 $0 ¥3 $5 $4 $0 $9 $9 ¥3 $9 ¥3 SHUFFLE 3 MERGE MERGE SPLIT SPLIT ¥3 $6 $3 Cloak walkthrough Non-zero values are reordered to the top, still grouped by asset type.

Slide 59

Slide 59 text

59 INPUTS $5 ¥3 $4 OUTPUTS SHUFFLE 1 R R R RANGE CHECK $5 ¥3 $4 $5 $4 ¥3 SHUFFLE 2 $0 $9 ¥3 $9 $0 ¥3 $5 $4 $0 $9 $9 ¥3 $9 ¥3 SHUFFLE 3 $9 $0 $6 $3 $3 ¥3 $3 ¥3 MERGE MERGE SPLIT SPLIT ¥3 $6 $3 Cloak walkthrough Values are split into target payment amounts.

Slide 60

Slide 60 text

60 INPUTS $5 ¥3 ¥3 $6 $4 $3 OUTPUTS SHUFFLE 1 R R R RANGE CHECK $5 ¥3 $4 $5 $4 ¥3 SHUFFLE 2 $0 $9 ¥3 $9 $0 ¥3 $5 $4 $0 $9 $9 ¥3 $9 ¥3 SHUFFLE 3 $6 $3 ¥3 ¥3 $6 $3 $9 $0 $6 $3 $3 ¥3 $3 ¥3 MERGE MERGE SPLIT SPLIT Cloak walkthrough Values that were grouped by asset type are shuffled into a random order.

Slide 61

Slide 61 text

61 INPUTS $5 ¥3 ¥3 $6 $4 $3 OUTPUTS SHUFFLE 1 R R R RANGE CHECK $5 ¥3 $4 $5 $4 ¥3 SHUFFLE 2 $0 $9 ¥3 $9 $0 ¥3 $5 $4 $0 $9 $9 ¥3 $9 ¥3 SHUFFLE 3 $6 $3 ¥3 ¥3 $6 $3 $9 $0 $6 $3 $3 ¥3 $3 ¥3 MERGE MERGE SPLIT SPLIT Cloak walkthrough All values are checked to be non-negative.

Slide 62

Slide 62 text

62 INPUTS Transactions of the same size are indistinguishable. A B D E C F OUTPUTS SHUFFLE 1 R R R RANGE CHECK SHUFFLE 2 SHUFFLE 3 MERGE MERGE SPLIT SPLIT Complete 3:3 Cloak transaction https://github.com/stellar/slingshot/spacesuit SPEC & CODE

Slide 63

Slide 63 text

ZkVM:  a zero-knowledge   smart contract language 63 https://github.com/stellar/slingshot/ZkVM

Slide 64

Slide 64 text

Thanks! 64 @oleganza Oleg Andreev @hdevalence Henry de Valence @durumcrustulum Deirdre Connolly @gtank__ George Tankersley

Slide 65

Slide 65 text

Further Reading Bulletproofs paper:   https://eprint.iacr.org/2017/1066.pdf Open-source GitHub repo for Bulletproofs in Rust:  https://github.com/dalek-cryptography/bulletproofs Notes on the Bulletproofs math & implementation docs:  https://doc.dalek.rs/bulletproofs/index.html Slide deck:  https://speakerdeck.com/cathieyun 65 @cathieyun Cathie Yun