Rhapsody in Zero Knowledge PROVING WITHOUT REVEALING Tony Arcieri · Strange Loop · September 14th, 2019

iqlusion https://www.iqlusion.io

What This Talk Is About The history of zero-knowledge proofs (Wall of Papers)

What This Talk Is Not The math of zero-knowledge proofs

How to draw an owl 1. 2. 1. Draw some circles 2. Draw the rest of the f***ing owl

A growing problem: identity theft

Causes: data breaches and insecure authentication methods

https://twitter.com/filosottile/status/1162404848073170944

Solutions?

Solutions? more identity monitoring which risks more data breaches

Solutions? stronger authentication methods with frightening privacy implications

PET SHOP BOYS "INTEGRAL" FUNDAMENTAL (2006)

No content

No content

Right now your phone is broadcasting: • International Mobile Subscriber Identity (IMSI) • Medium Access Control (MAC) • Bluetooth Identifier

No content

What if we didn't have to sacrifice privacy to get security?

What is a zero-knowledge proof?

Goal Prove you found: Goal Prove you found: ...in zero knowledge

https://twitter.com/aisconnolly/status/1019918914342543360

https://twitter.com/aisconnolly/status/1019918914342543360

https://twitter.com/aisconnolly/status/1019918914342543360

Proof of Knowledge

Proof Statement Prove you found:

https://twitter.com/aisconnolly/status/1019918914342543360 Witness

Demonstrate knowledge of a witness without revealing anything about it Zero-Knowledge Proof

Shafi Goldwasser and Silvio Micali

What if we didn't have to sacrifice privacy to get security? " " - Shafi Goldwasser

"Basic research from 20-30 years ago can save us from a problem we didn't know existed yet" - Shafi Goldwasser

1982

Probabilistic Encryption

Probabilistic Encryption & How To Play Mental Poker Keeping Secret All Partial Information Shaft Goldwasser * and Silvio Micali ** Computer Science Department University of California - Berkeley I. Introduction This paper proposes an Encryption Scheme that possess the following property: An adversary, who knows the encryption algorithm and is given the cyphertext, can- not obtain any information about the clear- text. Any implementation of a Public Key Cryptosys- tem, as proposed by Diffie and Hellman in [8], should possess this property. Our Encryption Scheme follows the ideas in the number theoretic implementations of a Public Key Cryptosystem due to Rivest, Shamir and Adleman [13], and Rabin [12]. Security is based on Complexity Theory and the intractability of some problems in number theory such as factoring, index finding and deciding whether numbers are quadratic resi- dues with respect to composite mvduli is assumed. In this context, impossibility means computational infeasibility and proving that a problem is hard means to show it equivalent to one of the above mentioned problems. The key idea in both the RSA scheme and the Rabin scheme is the selection of an appropriate trapdoor function; an easy to evaluate function f such that x is not easily computable from f(x), unless some extra information is known. To encrypt a message m, one simply evaluates f (m). Thin research was supported by * NSF Grant MCS-79-037667 ** fellowship from Consiglio Nazionale delle Ricerche - Italy and in part by NSF Grant MCS-79-037667 We would like to point out two basic weaknesses of this approach: 1) The fact that f is a trapdoor function does not rule out the possibility of computing x from ff (x) when x is of a special form. Usually messages do not consist of numbers chosen at random but possess more struc- ture. Such structural information may help in decoding. For example, a function f, which is hard to invert on a generic input, could conceivably be easy to invert on the ASCII representations of English sentences. 2) The fact that f is a trapdoor function does not rule out the possibility of easily com- puting some partial information about z (even every other bit of x) from f (z). The danger in the case that z is the ASCII representation of an English sentence is self evident. Encrypting messages in a way that ensures the secrecy of all partial infor- mation is an extremely important goal in Cryptography. The importance of this point of view is particularly apparent if we want to use encryption to play card games over the telephone. If the suit or color of a card could be compromised the whole game could be invalid. Though no one knows how to break the RSA or the Rabin scheme, in none of these schemes is it proved that decoding is hard without any assumptions made on the message space. Rabin shows that, in his scheme, decoding is hard for an adversary if the set of possible messages has some density property. The novelty of our contribution consists of 1. The notion of Trapdoor Functions is replaced by Probabilistic Encryption. To encrypt each message we make use of a fair coin. The encoding of each message will depend on the message plus the result of a

the selection of an function; an easy to ch that x is not easily , unless some extra To encrypt a message f (m). by Nazionale delle Ricerche - t MCS-79-037667 or part of this material is granted de or distributed for direct opyright notice and the title of the d notice is given that copying is by omputing Machinery. To copy a fee and/or specific permission. 7-2/82/005/0365 $00.75 Though no one knows how to break the RSA or the Rabin scheme, in none of these schemes is it proved that decoding is hard without any assumptions made on the message space. Rabin shows that, in his scheme, decoding is hard for an adversary if the set of possible messages has some density property. The novelty of our contribution consists of 1. The notion of Trapdoor Functions is replaced by Probabilistic Encryption. To encrypt each message we make use of a fair coin. The encoding of each message will depend on the message plus the result of a sequence of coin tosses. Consequently, there are many possible encodings for each message, llowever, messages are always uniquely decodable. ~ IProbabilistic Encryption is completely different from the technique of apl~eDcling random bits to a message as suggested in U?.] and [16]. 365 works like public-key cryptography

2. Decoding is easy for the legal receiver of a message, but provably hard for an adver- sary. Therefore the spirit of a trapdoor function is maintained. In addition, in our scheme, without imposing any restrictions on the message space, we can prove that decoding is equivalent to deciding qua- dratic residuosity modulo composite numbers. 3. No Partial Information about an encrypted ingenious pa space, A, B, message. Le tion, which decryption for all m e M is placed in private. D A knowing onl takes E A fro and sends th

Any implementation of a Public Key Cryptosys- tem, as proposed by Diffie and Hellman in [8], should possess this property. Our Encryption Scheme follows the ideas in the number theoretic implementations of a Public Key Cryptosystem due to Rivest, Shamir and Adleman [13], and Rabin [12]. Security is based on Complexity Theory and the intractability of some problems in number theory such as factoring, index finding and deciding whether numbers are quadratic resi- dues with respect to composite mvduli is assumed. In this context, impossibility means computational infeasibility and proving that a problem is hard means to show it equivalent to one of the above mentioned problems. The key idea in both the RSA scheme and the Rabin scheme is the selection of an appropriate trapdoor function; an easy to evaluate function f such that x is not easily computable from f(x), unless some extra information is known. To encrypt a message m, one simply evaluates f (m). in decoding. For ex which is hard to inve could conceivably be ASCII representations 2) The fact that f is a t not rule out the pos puting some partial (even every other bit danger in the case representation of an self evident. Encrypti that ensures the secre mation is an extreme Cryptography. The im of view is particularly to use encryption to the telephone. If the could be compromis could be invalid. Though no one knows how the Rabin scheme, in non it proved that decoding assumptions made on the shows that, in his scheme, an adversary if the set of some density property.

From probabilistic encryption to zero-knowledge proofs or "if at first you don't succeed, try, try again"

"Proofs with Untrusted Oracles" RE

"Interactive and Minimal Computations" RE

"Information Content of Proof Systems" RE

"Knowledge Complexity of Interactive Protocols" RE

1985

No content

In this paper a computational complexity theory of the "knowledge" contained in a proof is developed. Zero-knowledge proofs are defined as those proofs that convey no additional knowledge other than the correctness of the proposition in question.

What is an interactive proof system?

No content

"I hate the cave!" - Shafi Goldwasser

No content

Interactive proof example Proving knowledge of a graph 3-coloring algorithm

Cast Peggy Prover Victor Verifier

Peggy knows a 3-coloring algorithm

Goal Prove it to Victor: Prove it to Victor: ...in zero knowledge Goal

No content

Confidence: 6.67% 1 - (e - 1) / e

No content

https://web.mit.edu/~ezyang/Public/graph/svg.html

That same year... "Arthur-Merlin Proofs"

Trading Group Theory for Randomness La’siszld Babai Dept. Algebra Eijtviis University Rudapt~st Hungary II-1088 Abstract. la a previous paper [BS] we proved, using the elements of the Clwory of nilyotenf yroupu, that some of the /undamcn- la1 computational problems in mat& proup, belong to NP. These problems were also ahown to belong to CONP, assuming an unproven hypofhedi.9 concerning finilc simple Q’ oup,. The aim of this paper is t.o replace most of the (proven and unproven) group theory of IBS] by elementary com- binatorial argumenls. The rev& we prove is that relative to a random oracle f3, tbc meutioned matrix group prob- lems belong to (NPncoNP)L! Thr problems we consider arr membership in and order of a matrix group given by a list of gnrrntors. These prob- trms can bc vicwrd as m~lt~idimcnsio~r;lI vemiorm of a closr rrldivr of t.hc disrrct,r logarilhm prob1c.m. I tencc A’ltiro.VI’ might be the lowrst natural romplcxity rla.us t bry may ii1 in. Wr remark that the resutt,s remain valid for blark boz groupa where group operations are prrformcd by an oracle. Thcb tools we inlroduce seem interesting in their own right. \Ve define a new hierarchy of complexit)y ctesscs A.4Ak) “just above NP’, introduring Arthur ud. Merlin games, the bonnded-away version of Pnpadimitriou’s Games against Nature. We prove th:rt. in spite of their analogy with the polynomial time hierarchy, the finite lev- rls of this hierarchy collapse t,o Afsf=Ah42). Using a com- binatorial lemma on finite groups [IIE], we construct a game by whirh t.he nondeterministic player (Merlin) is able to coavlnre the random player (Arthur) about the rctation ICj=N provided Arthur trusts conclusions based on st,a- tisticnl rvidrnce (such as a Solovay-Strassen type “proof” of primatit,y ). One can prove that AM consists precisely of t&ose langungrs which belong to iV@ for almost every oracle 13. Our hirrarchy has an intrrcsjdng, still unclarified reta- tion to imother hierarchy, obt,ained by rcnloving the cen- t.rat ingrrdirnt from the l&r ~a. Ezpcrl games of (;otctwassrr, Mirati and Rarkoff. permission 10 copy without fee all or part ot this material is granted provided that the copies arc not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. Q 1985 ACM 0-89791-ISI-2/85/005/0421 $00.75 Dept. Computer Science I Jnivrrsity of Chicago I 100 E 58th St. (Chicago, II, 60637 1. Introduction 1.1. Randomness vs. mathematical intractabil- ity: a tradeoff l’aul E&k has taught us that randomness can do miracles as tong as we don’t insist on explicit con- structions. If we do, quite often much heavier mathrmatics has to be invoked - if there is any help at all. The few citSes where randomness has SUCCCSS- futiy hccn eliminated, like for expanding graphs, point to the tIiITiiculty (cf. [Pin], [PipJ vs. [Mar], [CC]). A ra.ndom st.ring can sometimes replace the most forrnidahle msthelrtotical hypothesis. The Solovay- Strnsscn bf(JntC? Carlo primality test [SS] vs. Gary Mittrr’s det.erministic primality test, based on the Extended ltirmann Hypothesis [Mill, is one of the famous examples. The objective of this paper is to introduce some new random tools to replace an unproven group theoretic hypothesis. 1.2. Matrix groups Lly far the most common wrry to represent groups is by matrices. This is almost the only way groups are being thought of in science. The term “ltcprceentation Theory” refers to matrix representa- tions, a central tool in the theory of finite groups, har- monic analysis, quantum mechanics and other fields. It s.ppears that the main reason why compn+a- tional group theory has so far mainly concentrated on permutation groups is that while many of the basic problems in permutation groups are solvable in poly- nomial time (cf.[Sinr], (FHL], (BKL]), even the sim- plrst questions on matrix groups seem computation- ally infr.asiblc. The membership problem (does a given matrix belong to a group given by a list of generators?) is undecida6le for 4 by 4 integral matrices (hlih]. It seems therefore wise to r&rict our attention to malrix groups over finite fields. Here the basic problems (membership, order) are at least finite and in fact easily seen to belong to PSPACE, On the other ha.nd, finding a polynomial time algorithm seems hopclcss even in the one-dimensional (number theoretic) case. Concerning the place of these 421

e hierarchy, the best in NPflcoNP. .achieve this goal but Monte Carlo primality compIexity class AA4 n of NP in the same Our main result is and order of matrix AM~IcoAM. this result in Section necessary complexity ted in detail in Sec- for later use, let us FE]. They ssscrt that s to NP and so does er an inheger divides 2. A hierarchy of coxnplexity classes 2.1. Convincing a distrustful party King Arthur recognizes the supernatural intcllec- tual abilit.ies of Merlin but doesn’t trust him. How should Merlin convince the intelligent but impatient King that a string zr belongs to a given language I., ? If &NP, Merlin will be able to present a u~ilneas which hthur can check in polynomial time. We shalt define a hierarchy of complexity classes “just above NP’ which still allow Merlin to convince Arthur about membership provided Arthur accepts stat.ist.ical evidence. We define these relatively low complexity classes in terms of a combinatorial game played by Merlin and Arthur. 2.2. Combinatorial games The general definition of combinatorial games will be given in 3.1.

Proofs are meaningless without a verifier

Zero-knowledge proofs exist to convince a distrustful third party

1986

Private Coins versus Public Coins in Interactive Proof Systems Shaft Goldwasser* Computer Science Department MIT Michael Sipser** Computer Science Department University of California at Berkeley and Mathematics Department MIT Abstract An interactive proof system is a method by which one party of unlimited resources, called the prover, can convince a party of lim- ited resources, call the verifier, of the truth of a proposition. The verifier may toss coins, ask repeated questions of the prover, and run efficient tests upon the prover's responses before deciding whether to be convinced. This extends the familiar proof system impli- cit in the notion of NP in that there the verifier may not toss coins or speak, but only listen and verify. Interactive proof systems may not yield proof in the strict mathemati- cal sense: the "proofs" are probabilistic with an exponentially small, though non-zero chance of error. We consider two notions of interactive proof system. One, defined by Goldwasser, Micali, and Rackoff [GMR] permits the verifier a coin that can be tossed in private, i.e., a secret source of randomness. The Permission to copy without ice all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. © 1986 ACM 0-89791-193-8/86/0500/0059 $00.75 second, due to Babai, [B] requires that the outcome of the verifier's coin tosses be public and thus accessible to the prover. Our main result is that these two sys- tems are equivalent in power with respect to language recognition. The notion of interactive proof system may be seen to yield a probabilistic analog to NP much as BPP is the probabilistic analog to P. We define the probabilistic, nondeter- ministic, polynomial time Turing machine and show that it is also equivalent in power to these systems. 1. Introduction In this century, the notions of proof and computation have been formalized and under- stood. With the arrival of complexity theory, the notion of what is efficiently provable became of interest. The class NP captured this notion, containing those languages for which proofs of membership can be verified by a deterministic polynomial time Turing machine. We can view NP as a proof-system consisting of two communicating Turing machines: the prover who guesses the proof * Research supported in part by NSF Grant 8509905 DCR. ** Research supported in part by NSF Grant MCS- 8304769 and Air Force Grant AFOSR-82-0326. 59

1986 Public Coin vs Private Coin

"Coin-Flipping" Protocol

Public Coin Argument of Knowledge Outcome of the coin flip is visible to the public

Private Coin Argument of Knowledge Coin flip happens in secret and is not publicly visible

Fiat-Shamir

No content

Turn an interactive proof of knowledge into a signature

Signatures are non-interactive

Commitment Random Challenge Proof

Compute commitment using a random oracle a.k.a. a hash functionn

Commitment Hash(Commitment) Proof

Non-interactive public coin argument of knowledge

But what about a non-interactive private coin argument of knowledge?

Before I get to that, one more thing from the '80s

1988

Everything Provable is Provable in Zero-Knowledge Michael Ben-Or Hebrew University Oded Goldreich Shafi Goldwasser Johan Hhtad Joe Kilian Silvio Micali Phillip Rogaway Technion - Israel Institute of Technology M.I.T. Laboratory for Computer Science Royal Institute of Technology, Sweden M.I.T. Laboratory for Computer Science M.I.T. Laboratory for Computer Science M.I.T. Laboratory for Computer Science Abstract Assuming the existence of a secure probabilistic encryption scheme, we show that every language that admits an interactive proof admits a (computational) zero-knowledge interactive proof. This result extends the result of Goldreich, MiCali and Wigderson, that, under the same assumption, all of NP admits zero-knowledge interactive proofs. Assuming envelopes for bit commitment, we show tht every language that admits an interactive proof admits a perfect zero-knowledge interactive proof. 1. Introduction Suppose Bob is polynomially time-bounded, but Alice has unlimited computational resources. If q 5 is a satisfiable boolean formula, Alice can certainly convince Bob of this fact; she could send Bob a message y describing a satisfying truth assignment for 4, and Bob could check that y does indeed specify a satisfying truth assignment. In other words, the language L of satisfiable boolean formulas is in NP. The interaction between Alice and Bob in this example is very simple: Alice sends a single message to Bob, and no other messages are sent between the two. If q5 is satisfiable, there is some message y that Alice might send which will convince Bob to accept. But if q5 is not satisfiable, then no message that Alice might send w i l l convince Bob to accept. In the paper of Goldwasser, Micdi, and Rackoff [GMR], the authors extend the scenario above in two ways, to arrive at the notion of an interactive proof for the language L. First, the interaction between Alice and Bob is allowed to be more complicated, with Alice and Bob exchanging multiple messages. Secondly, Alice and Bob are taken to be probabilistic, and Bob may occasionally accept or reject erroneously. It is required that if an input is in L, then Alice can behave in such a way that Bob will almost always accept; but if an input is n o t in L, then, no mater what messages Alice sends, Bob will almost certainly reject. A different notion of provability “beyond NP” was independently proposed by Babai [Bab]. This notion is called an Arthur-Merlin protocol. Babai’s model is similar to that of [GMR], but is seemingly more limited, because the verifier is required to reveal to the prover all of his coin flips (right after making them). Though this loss of privacy seems an important restriction, Goldwasser and Sipser [GSJ show that, in fact, the models are equivalent with respect to language recognition. Let IP be the class of languages that admit interactive proofs. Clearly N P 5 I P , for an NP-interaction is a special type of IF‘-interaction, in which the prover (Alice) sends the one and only message, and the verifier (Bob) never errs. However, IP may be a much larger class of languages. For example, there is an interactive proof known for graph nonisomorphism, even though there are not known to be succinct certificates for establishing that a pair of graphs are not isomorphic.

Every problem in NP has a zero-knowledge interactive proof

Zero-knowledge proofs are universal

1992

How do you check a proof that's too large to verify?

Probabilistically Checkable Proofs

Probabilistic Checking of Proofs: A New Characterization of NP SANJEEV ARORA Princeton University, Princeton, New Jersey AND SHMUEL SAFRA Tel-Aviv University, Tel-Aviv, Israel Abstract. We give a new characterization of NP: the class NP contains exactly those languages L for which membership proofs (a proof that an input x is in L) can be verified probabilistically in polynomial time using logarithmic number of random bits and by reading sublogarithmic number of bits from the proof. We discuss implications of this characterization; specifically, we show that approximating Clique and Independent Set, even in a very weak sense, is NP-hard. Categories and Subject Descriptors: F.1.2 [Computation by Abstract Devices]: Modes of Computa- tion; F.1.3 [Computation by Abstract Devices]: Complexity Classes; F.2.1 [Analysis of Algorithms and Problem Complexity]: Numerical Algorithms and Problems; F.2.2 [Analysis of Algorithms and Problem Complexity]: Numerical Algorithms and Problems; F.4.1 [Mathematical Logic and Formal Languages]: Mathematical Logic General Terms: Algorithms, Theory, Verification Additional Key Words and Phrases: Approximation algorithms, complexity hierarchies, computations on polynomials and finite fields, error-correcting codes, hardness of approximations, interactive computation, NP-completeness, probabilistic computation, proof checking, reducibility and complete- ness, trade-offs/relations among complexity measures A preliminary version of this paper was published as in Proceedings of the 33rd IEEE Symposium on Foundations of Computer Science. IEEE, New York, 1992, pp. 2–12. This work was done while S. Arora was at CS Division, UC Berkeley, under support from NSF PYI Grant CCR 88-96202 and an IBM graduate fellowship.

How can we create smaller proofs?

A note on efficient zero-knowledge proofs and arguments. (extended abstract) Joe Kilian NEC Research Institute Princeton, NJ 08540 Abstract In this note, we present new zero-knowledge interac- tive proofs and arguments for languages in NP. To show that z G L, with an error probability of at most 2-k, our zero-knowledge proof system requires O(lzlc’) + O(lg” l~l)k ideal bit commitments, where c1 and cz depend only on L. This construction is the first in the ideal bit commitment model that achieves large values of k more efficiently than by running k indepen- dent iterations of the base interactive proof system. Un- der suitable complexity assumptions, we exhibit a zer~ knowledge arguments that require O(lg’ Izl)ki bits of communication, where c depends only on L, and 1 is the security parameter for the prover.l This is the first construction in which the total amount of communica- tion can be less than that needed to transmit the NP witness. Our protocols are based on efficiently checkable proofs for NP [4]. ~l–&lly~ 1is the size of some problem the poly-time bounded prover is assumed to be unable to solve. 1 Introduction. 1.1 The problem of efficient security amplification. The standard definition of interactive proofs[7] requires that the verifier accept a correct proof and reject an in- correct assertion with probability at least #. As there are few applications where a 1/3 error probability is ac- ceptable, one usually tries to obtain an error probability less than 2-h, where k is some easily adjustable secu- rity parameter. The most obvious way of achieving this security amplification is take a protocol with a 1/3 er- ror probability, run it O(k) times, and have the verifier accept or reject by majority vote. 2 Are there any more efficient ways of achieving security than by this simple technique? As we will show, the answer is yes, for a wide variety of languages, in a well known model for which no other amplification technique was previously known. The work of Boyar, Brasserd end Peralta. Our work is inspired by Boyar, Brassard and Peralta’s zerc+knowledge protocol for circuit satisjiabilii!y,g which for the first time achieved a more efficient security amplification than by the naive approach [1]. Their protocol achieved a 2-k error probability using only

1998

Computationally-Sound Proofs Silvio Micali Department of Computer Science Massachusetts Institute of Technology Cambridge, MA 02139, USA silvio@theory.lcs.mit.edu Abstract. This paper puts forward a new notion of a proof based on computational complexity, and explores its implications to computation at large. Computationally-sound proofs provide, in a novel and meaningful frame- work, answers to old and new questions in complexity theory. In partic- ular, given a random oracle or a new complexity assumption, they allow us to prove that verifying is easier than deciding; to provide a quite effec- tive way to prove membership in computationally hard languages (such as Co-ÀÀP-complete ones); and to show that every computation possesses a short certificate vouching its correctness. 1 Introduction A new notion. Proofs are fundamental to our lives, and as for all things fundamental we should expect that answering the question of what a proof is will always be an on-going process. Indeed, we wish to put forward the new notion of a computationally-sound proof (CS proof for brevity) which achieves new and important goals, not attained or even addressed by previous notions. Informally, a CS proof of a statement S consists of a short string Û, very easy to verify and as easy to find as possible, offering a strong computational guarantee about the verity of S. By "very easy to verify" we mean that the time necessary to inspect a CS Proof of a statement S is poly-logarithmically shorter than that required to decide S. By "as easy to find as possible" we mean that a CS proof of a true statement (i.e., for the purposes of this paper, derivable in a given axiomatic theory) can be computed in a time essentially comparable to that needed to decide the statement. Finally, by saying that the guarantee offered by a CS proof is "computational" we mean that false statements either do not have any CS proofs, or such "proofs" are practically impossible to find. Implementations of CS proofs. The value of a new notion, of course, cru- cially depends on whether it can be sufficiently exemplified. We provide two

as Co-ÀÀP-complete ones); and to show that every computation possesses a short certificate vouching its correctness. 1 Introduction A new notion. Proofs are fundamental to our lives, and as for all things fundamental we should expect that answering the question of what a proof is will always be an on-going process. Indeed, we wish to put forward the new notion of a computationally-sound proof (CS proof for brevity) which achieves new and important goals, not attained or even addressed by previous notions. Informally, a CS proof of a statement S consists of a short string Û, very easy to verify and as easy to find as possible, offering a strong computational guarantee about the verity of S. By "very easy to verify" we mean that the time necessary to inspect a CS Proof of a statement S is poly-logarithmically shorter than that required to decide S. By "as easy to find as possible" we mean that a CS proof of a true statement (i.e., for the purposes of this paper, derivable in a given axiomatic theory) can be computed in a time essentially comparable to that needed to decide the statement. Finally, by saying that the guarantee offered by a CS proof is "computational" we mean that false statements either

Poly-Logarithmic Verification Time Proofs are efficient to verify

SNARGs "Succinct Non-Interactive Arguments"

2001

Universally Composable Commitments Ran Canetti⇤ Marc Fischlin† July 10, 2001 Abstract We propose a new security measure for commitment protocols, called Universally Composable (UC) Commitment. The measure guarantees that commitment protocols behave like an “ideal commitment service,” even when concurrently composed with an arbitrary set of protocols. This is a strong guarantee: it implies that security is maintained even when an unbounded number of copies of the scheme are running concurrently, it implies non-malleability (not only with respect to other copies of the same protocol but even with respect to other protocols), it provides resilience to selective decommitment, and more. Unfortunately two-party uc commitment protocols do not exist in the plain model. However, we construct two-party uc commitment protocols, based on general complexity assumptions, in the common reference string model where all parties have access to a common string taken from a predetermined distribution. The protocols are non-interactive, in the sense that both the commitment and the opening phases consist of a single message from the committer to the receiver. Keywords: Commitment schemes, concurrent composition, non-malleability, security analysis of

Common Reference String (CRS)

"Trusted Setup"

2007

Incrementally Verifiable Computation or Knowledge Implies Time/Space Efficiency by Paul Valiant Submitted to the Department of Electrical Engineering and Computer Science on February 2, 2007, in partial fulfillment of the requirements for the degree of Master of Science in Computer Science and Engineering Abstract The probabilistically checkable proof (PCP) system enables proofs to be verified in time polylogarithmic in the length of a classical proof. Computationally sound (CS) proofs improve upon PCPs by additionally shortening the length of the transmitted proof to be polylogarithmic in the length of the classical proof. In this thesis we explore the ultimate limits of non-interactive proof systems with respect to time/space efficiency and the new criterion of composability. We deduce the existence of our proposed proof system by way of a natural new assumption about proofs of knowledge. In fact, a main contribution of our result is showing that knowledge can be "traded" for time and space efficiency in noninterac- tive proof systems. Thesis Supervisor: Silvio Micali Title: Professor of Computer Science

2009

Problem Bitcoin Has No Privacy

2014

Eli Ben-Sasson

Zerocash: Decentralized Anonymous Payments from Bitcoin Eli Ben-Sasson⇤, Alessandro Chiesa†, Christina Garman‡, Matthew Green‡, Ian Miers‡, Eran Tromer§, Madars Virza† ⇤Technion, eli@cs.technion.ac.il †MIT, {alexch, madars}@mit.edu ‡Johns Hopkins University, {cgarman, imiers, mgreen}@cs.jhu.edu §Tel Aviv University, tromer@cs.tau.ac.il Abstract —Bitcoin is the first digital currency to see widespread adoption. While payments are conducted between pseudonyms, Bitcoin cannot offer strong privacy guarantees: payment trans- actions are recorded in a public decentralized ledger, from which much information can be deduced. Zerocoin (Miers et al., IEEE S&P 2013) tackles some of these privacy issues by unlinking transactions from the payment’s origin. Yet, it still reveals payments’ destinations and amounts, and is limited in functionality. In this paper, we construct a full-fledged ledger-based digital currency with strong privacy guarantees. Our results leverage recent advances in zero-knowledge Succinct Non-interactive AR- guments of Knowledge (zk-SNARKs). First, we formulate and construct decentralized anonymous payment schemes (DAP schemes). A DAP scheme enables users to directly pay each other privately: the corresponding transaction hides the payment’s origin, destination, and transferred amount. We provide formal definitions and proofs of the construction’s security. Second, we build Zerocash, a practical instantiation of our DAP scheme construction. In Zerocash, transactions are less than 1 kB and take under 6 ms to verify — orders of magnitude more efficient than the less-anonymous Zerocoin and competitive with plain Bitcoin. Keywords: Bitcoin, decentralized electronic cash, zero knowledge I. INTRODUCTION Bitcoin is the first digital currency to achieve widespread adoption. The currency owes its rise in part to the fact that, unlike traditional e-cash schemes [1, 2, 3], it requires no trusted parties. Instead of appointing a central bank, Bitcoin leverages a distributed ledger known as the block chain to store transactions made between users. Because the block chain is massively replicated by mutually-distrustful peers, the information it contains is public. While users may employ many identities (or pseudonyms) to enhance their privacy, an increasing body of research shows that anyone can de-anonymize Bitcoin by using information in the block chain [4, 5, 6], such as the structure of the transaction graph as well as the value and dates of transactions. As a result, Bitcoin fails to offer even a modicum of the privacy provided by traditional payment systems, let alone the robust privacy of anonymous e-cash schemes. While Bitcoin is not anonymous itself, those with sufficient motivation can obfuscate their transaction history with the help of mixes (also known as laundries or tumblers). A mix allows users to entrust a set of coins to a pool operated by a central party and then, after some interval, retrieve different coins (with the same total value) from the pool. Yet, mixes suffer from three limitations: (i) the delay to reclaim coins must be large to allow enough coins to be mixed in; (ii) the mix can trace coins; and (iii) the mix may steal coins.1 For users with “something to hide,” these risks may be acceptable. But typical legitimate users (1) wish to keep their spending habits private from their peers, (2) are risk-averse and do not wish to expend continual effort in protecting their privacy, and (3) are often not sufficiently aware of their compromised privacy. To protect their privacy, users thus need an instant, risk-free, and, most importantly, automatic guarantee that data revealing their spending habits and account balances is not publicly accessible by their neighbors, co-workers, and merchants. Anonymous transactions also guarantee that the market value of a coin is independent of its history, thus ensuring legitimate users’ coins remain fungible.2 Zerocoin: a decentralized mix. Miers et al. [8] proposed Zerocoin, which extends Bitcoin to provide strong anonymity guarantees. Like many e-cash protocols (e.g., [2]), Zerocoin employs zero-knowledge proofs to prevent transaction graph analyses. Unlike earlier practical e-cash protocols, however, Zerocoin does not rely on digital signatures to validate coins, nor does it require a central bank to prevent double spending. Instead, Zerocoin authenticates coins by proving, in zero- knowledge, that they belong to a public list of valid coins (which can be maintained on the block chain). Yet, rather than a full-fledged anonymous currency, Zerocoin is a decentralized mix, where users may periodically “wash” their bitcoins via the Zerocoin protocol. Routine day-to-day transactions must be conducted via Bitcoin, due to reasons that we now review. The first reason is performance. Redeeming zerocoins requires double-discrete-logarithm proofs of knowledge, which have size that exceeds 45 kB and require 450 ms to verify (at the 128-bit security level).3 These proofs must be broadcast 1CoinJoin [7], an alternative proposal, replaces the central party of a mix with multi-signature transactions that involve many collaborating Bitcoin users. CoinJoin can thus only mix small volumes of coins amongst users who are currently online, is prone to denial-of-service attacks by third parties, and requires effort to find mixing partners. 2While the methods we detail in this paper accomplish this, the same techniques open the door for privacy preserving accountability and oversight (see Section X). 3These published numbers [8] actually use a mix of parameters at both 128-bit and 80-bit security for different components of the construction. The cost is higher if all parameters are instantiated at the 128-bit security level. 2014 IEEE Symposium on Security and Privacy © 2014, Eli Ben-Sasson. Under license to IEEE. DOI 10.1109/SP.2014.36 459

"zkSNARKs" Zero-knowledge Succinct Non-interactive ARguments of Knowledge

zkSNARKs • Zero-knowledge proofs realized as algebraic circuits • Implemented using elliptic curves with bilinear pairings • Operates in the "Common Reference String" model

Rank-1 Constraint System (R1CS)

Constraint Example: Booleans x * (x - 1) = 0 0 * (0 - 1) = 0 1 * (1 - 1) = 0

2015

Scalable Zero Knowledge via Cycles of Elliptic Curves (extended version) Eli Ben-Sasson eli@cs.technion.ac.il Technion Alessandro Chiesa alexch@mit.edu MIT Eran Tromer tromer@cs.tau.ac.il Tel Aviv University Madars Virza madars@mit.edu MIT April 28, 2015 Abstract Non-interactive zero-knowledge proofs of knowledge for general NP statements are a powerful cryptographic primitive, both in theory and in practical applications. Recently, much research has focused on achieving an additional property, succinctness, requiring the proof to be very short and easy to verify. Such proof systems are known as zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARKs), and are desired when communication is expensive, or the verifier is computationally weak. Existing zk-SNARK implementations have severe scalability limitations, in terms of space complexity as a function of the size of the computation being proved (e.g., running time of the NP statement’s decision program). First, the size of the proving key is quasilinear in the upper bound on the computation size. Second, producing a proof requires “writing down” all intermediate values of the entire computation, and then conducting global operations such as FFTs. The bootstrapping technique of Bitansky et al. (STOC ’13), following Valiant (TCC ’08), offers an approach to scalability, by recursively composing proofs: proving statements about acceptance of the proof system’s own verifier (and correctness of the program’s latest step). Alas, recursive composition of known zk-SNARKs has never been realized in practice, due to enormous computational cost. Using new elliptic-curve cryptographic techniques, and methods for exploiting the proof systems’ field structure and nondeterminism, we achieve the first zk-SNARK implementation that practically achieves recursive proof composition. Our zk-SNARK implementation runs random-access machine programs and produces proofs of their correct execution, on today’s hardware, for any program running time. It takes constant time to generate the keys that support all computation sizes. Subsequently, the proving process only incurs a constant multiplicative overhead compared to the original computation’s time, and an essentially-constant additive overhead in memory. Thus, our zk-SNARK implementation is the first to have a well-defined, albeit low, clock rate of “verified instructions per second”. Keywords: computationally-sound proofs, proof-carrying data, zero knowledge, elliptic curves

Recursive Proof Proof of the existence of a previous solution to a proof

YO DAWG, I HEARD YOU LIKE ZERO KNOWLEDGE PROOFS YO DAWG, I HEARD YOU LIKE ZERO KNOWLEDGE PROOFS

Elliptic Curve Cycles

Problem "Trusted Setup"

No content

This Was Insufficient "Toxic Waste" accidentally leaked via ceremony transcript

Powers of Tau Replace setup ceremony with prolonged multiparty computation

2017

Bulletproofs: Short Proofs for Confidential Transactions and More Benedikt B¨ unz⇤1, Jonathan Bootle†2, Dan Boneh‡1, Andrew Poelstra§3, Pieter Wuille¶3, and Greg Maxwellk 1Stanford University 2University College London 3Blockstream Full Version⇤⇤ Abstract We propose Bulletproofs, a new non-interactive zero-knowledge proof protocol with very short proofs and without a trusted setup; the proof size is only logarithmic in the witness size. Bulletproofs are especially well suited for e cient range proofs on committed values: they enable proving that a committed value is in a range using only 2 log2 pnq ` 9 group and field elements, where n is the bit length of the range. Proof generation and verification times are linear in n. Bulletproofs greatly improve on the linear (in n) sized range proofs in existing proposals for confidential transactions in Bitcoin and other cryptocurrencies. Moreover, Bulletproofs supports aggregation of range proofs, so that a party can prove that m commitments lie in a given range by providing only an additive Oplogpmqq group elements over the length of a single proof. To aggregate proofs from multiple parties, we enable the parties to generate a single proof without revealing their inputs to each other via a simple multi-party computation (MPC) protocol for constructing Bulletproofs. This MPC protocol uses either a constant number of rounds and linear communication, or a logarithmic number of rounds and logarithmic communication. We show that verification time, while asymptotically linear, is very e cient in practice. Moreover, the verification of multiple Bulletproofs can be batched for further speed-up. Concretely, the marginal time to verify an aggregation of 16 range proofs is about the same as the time to verify 16 ECDSA signatures. Bulletproofs build on the techniques of Bootle et al. (EUROCRYPT 2016). Beyond range proofs, Bulletproofs provide short zero-knowledge proofs for general arithmetic circuits while only relying on the discrete logarithm assumption and without requiring a trusted setup. We discuss many applications that would benefit from Bulletproofs, primarily in the area of cryp- tocurrencies. The e ciency of Bulletproofs is particularly well suited for the distributed and trustless nature of blockchains. ⇤ benedikt@cs.stanford.edu † jonathan.bootle.14@ucl.ac.uk ‡ dabo@cs.stanford.edu § apoelstra@blockstream.io ¶ pieter@blockstream.com k

Bulletproofs • Non-interactive zero-knowledge proofs with small proof size • No trusted setup! • Uses "normal" elliptic curves - doesn't require bilinear pairings • Ideally suited for range proofs - but still provides R1CS

2018

Scalable, transparent, and post-quantum secure computational integrity Eli Ben-Sasson* Iddo Bentov† Yinon Horesh* Michael Riabzev* March 6, 2018 Abstract Human dignity demands that personal information, like medical and forensic data, be hidden from the public. But veils of secrecy designed to preserve privacy may also be abused to cover up lies and deceit by institutions entrusted with Data, unjustly harming citizens and eroding trust in central institutions. Zero knowledge (ZK) proof systems are an ingenious cryptographic solution to this tension between the ideals of personal privacy and institutional integrity, enforcing the latter in a way that does not compromise the former. Public trust demands transparency from ZK systems, meaning they be set up with no reliance on any trusted party, and have no trapdoors that could be exploited by powerful parties to bear false witness. For ZK systems to be used with Big Data, it is imperative that the public verification process scale sublinearly in data size. Transparent ZK proofs that can be verified exponentially faster than data size were first described in the 1990s but early constructions were impractical, and no ZK system realized thus far in code (including that used by crypto-currencies like Zcash™) has achieved both transparency and exponential verification speedup, simultaneously, for general computations. Here we report the first realization of a transparent ZK system (ZK-STARK) in which verification scales exponentially faster than database size, and moreover, this exponential speedup in verification is observed concretely for meaningful and sequential computations, described next. Our system uses several recent advances on interactive oracle proofs (IOP), such as a “fast” (linear time) IOP system for error correcting codes. Our proof-of-concept system allows the Police to prove to the public that the DNA profile of a Presidential Candidate does not appear in the forensic DNA profile database maintained by the Police. The proof, which is generated by the Police, relies on no external trusted party, and reveals no further information about the contents of the database, nor about the candidate’s profile. In particular, no DNA information is disclosed to any party outside the Police. The proof is shorter than the size of the DNA database, and verified faster than the time needed to examine that database na¨ ıvely.

zkSTARKs • Built on symmetric cryptography - post quantum security • No trusted setup: eliminates CRS with techniques similar to erasure codes • Uses "Algebraic Intermediate Representation" (AIR) instead of R1CS • Complex mathematics - no "production quality" implementation yet • Being developed at Eli Ben-Sasson's company Starkware

Coda Protocol Proof-of-Stake blockchain built on recursive ZKPs

No content

Coda • Proves longest chain following consensus rules with recursive ZKPs • Written in OCaml • Proofs generated with "Snarky": ZKP compiler for OCaml DSL

2019

Z : Enabling Decentralized Private Computation Sean Bowe sean@z.cash Zcash Alessandro Chiesa alexch@berkeley.edu UC Berkeley Matthew Green mgreen@cs.jhu.edu Johns Hopkins University Ian Miers imiers@cs.jhu.edu Cornell Tech Pratyush Mishra pratyush@berkeley.edu UC Berkeley Howard Wu howardwu@berkeley.edu UC Berkeley February 21, 2019 Abstract Ledger-based systems that support rich applications often su er from two limitations. First, validating a transaction requires re-executing the state transition that it attests to. Second, transactions not only reveal which application had a state transition but also reveal the application’s internal state. We design, implement, and evaluate Z , a ledger-based system where users can execute o ine computations and subsequently produce transactions, attesting to the correctness of these computations, that satisfy two main properties. First, transactions hide all information about the o ine computations. Second, transactions can be validated in constant time by anyone, regardless of the o ine computation. The core of Z is a construction for a new cryptographic primitive that we introduce, decentralized private computation (DPC) schemes. In order to achieve an e cient implementation of our construction, we leverage tools in the area of cryptographic proofs, including succinct zero knowledge proofs and recursive proof composition. Overall, transactions in Z are 968 bytes regardless of the o ine computation, and generating them takes less than a minute plus a time that grows with the o ine computation. We demonstrate how to use Z to realize privacy-preserving analogues of popular applications: private decentralized exchanges for user-defined fungible assets and regulation-friendly private stablecoins. Keywords: decentralized computation; zero knowledge proofs; succinct arguments

Universal Verifiable Computation ZKPs can be used to prove any program was executed correctly while keeping the inputs secret

Spartan: Efficient and general-purpose zkSNARKs without trusted setup Srinath Setty Microsoft Research Abstract This paper describes a new public coin, succinct interactive zero-knowledge argument for NP under standard cryptographic hardness assumptions—without requiring a trusted setup. In particular, our argument enables a prover to prove the satisfiability of arithmetic circuits over a large finite field (an NP-complete language for which there exist efficient reductions from high-level programs of practical interest) to a verifier. We construct this argument through a novel synthesis of techniques from prior work on short PCPs, MIPs, and doubly-efficient IPs. Specifically, our interactive argument is a succinct variant of the sum-check protocol where the protocol is run with a carefully-constructed low-degree polynomial that encodes a given circuit satisfiability instance. Since our interactive argument is public coin, we make it non-interactive in the random oracle model, thereby obtaining a zero-knowledge succinct non-interactive argument of knowledge (zkSNARK), which we call Spartan. Spartan is the first zkSNARK without trusted setup (i.e., a “transparent” zkSNARK) where verifying a proof incurs sub-linear costs without requiring data parallelism (or other homogeneity) in the structure of an arithmetic circuit for which a proof is produced. To achieve this, Spartan introduces a notion of computation commitments—a primitive to create a short cryptographic commitment to a mathematical description of an arithmetic circuit. Finally, Spartan is asymptotically efficient with small constants: the prover performs O(n) cryptographic operations to produce a proof of size O(n1/c) that can be verified in O(n1 1/c) time (after a one-time, public preprocessing of the circuit to create a computation commitment that takes O(n) time), where n denotes the size of an arithmetic circuit and c 2 (Spartan can produce O(log n)-sized proofs, but the verifier incurs O(n) costs). 1 Introduction We revisit the problem of designing succinct zero-knowledge arguments for a general class of applications. In particular, we are interested in arguments for the complexity class NP [32, 66, 73]: they enable a computationally-bounded prover to convince the membership of a problem instance in an NP language without revealing anything besides the validity of

zkSNARKs without trusted setup!

Our story would end here but... just a few days ago a major new development

Halo: Recursive Proof Composition without a Trusted Setup Sean Bowe sean@electriccoin.co Electric Coin Company Jack Grigg jack@electriccoin.co Electric Coin Company Daira Hopwood daira@electriccoin.co Electric Coin Company Abstract Non-interactive proofs of knowledge allow us to publicly demonstrate the faithful execution of arbitrary computations. SNARKs have the additional property of succinctness, meaning that the proofs are short and fast to verify even when the computations involved are large. This property raises the prospect of recursive proof composition: proofs that verify other proofs. All previously known realizations of recursive proof composition have required a trusted setup and cycles of expensive pairing-friendly elliptic curves. We obtain the first practical example of recursive proof composition without a trusted setup, using only ordinary cycles of elliptic curves. Our primary contribution is a novel technique for amortizing away expensive verification procedures from within the proof verification cycle so that we could obtain recursion using a composition of existing protocols and techniques. We devise a technique for amortizing the cost of verifying multiple inner product arguments which may be of independent interest. 1 Introduction Proofs of knowledge [GMR89], introduced by Goldwasser, Micali and Racko↵,

Halo • Combines the best parts of SNARKs and Bulletproofs • Recursive proofs • No trusted setup! • Uses "normal" elliptic curves - doesn't require bilinear pairings

That's all folks!

Thanks for coming! @bascule tonyarcieri.com