Slide 1

Slide 1 text

ZK-Snarks in English Ronak Kogta

Slide 2

Slide 2 text

In this talk, We’ll learn 1.What are Zero Knowledge Proofs ? 2.What are Zk-Snarks ? 3. How to construct Zk- Snarks ?

Slide 3

Slide 3 text

Problem Statement Alice belongs to an organisation A Bob belongs to an organisation B

Slide 4

Slide 4 text

Problem Statement Alice belongs to an organisation A Bob belongs to an organisation B They both want to do a transaction, and want the valid result for their inputs

Slide 5

Slide 5 text

Problem Statement Alice belongs to an organisation A Bob belongs to an organisation B They both want to do a transaction, and want the valid result for their inputs Since inputs are important for both organisation A and B, 
 they do now want to reveal that information

Slide 6

Slide 6 text

Problem Statement Alice belongs to an organisation A Bob belongs to an organisation B They both want to do a transaction, and want the valid result for their inputs Since inputs are important for both organisation A and B, 
 they do now want to reveal that information Do not trust each other

Slide 7

Slide 7 text

Problem Statement Sends y Holds x Sends f(x,y) Holds y

Slide 8

Slide 8 text

Problem Statement Here Bob compromises, and reveals his y Sends y Holds x Sends f(x,y) Holds y

Slide 9

Slide 9 text

Problem Statement Here Bob compromises, and reveals his y Sends y Holds x Sends f(x,y) Holds y Alice may change her x, and give wrong f(x,y)

Slide 10

Slide 10 text

Problem Statement Here Bob compromises, and reveals his y Sends y Holds x Sends f(x,y) Holds y Alice may change her x, and give wrong f(x,y) Or Bob gives y in such a way that info about x is revealed

Slide 11

Slide 11 text

Problem Statement Here Bob compromises, and reveals his y Sends y Holds x Sends f(x,y) Holds y Alice may change her x, and give wrong f(x,y) Or Bob gives y in such a way that info about x is revealed Both Alice and Bob can cheat, and the transaction will have no
 fairness guarantee

Slide 12

Slide 12 text


 Fairness by 3rd Party Sends y Holds x Sends f(x,y) Holds y Third Party Auditor

Slide 13

Slide 13 text


 Fairness by 3rd Party Sends y Holds x Sends f(x,y) Holds y Third Party Auditor

Slide 14

Slide 14 text


 Fairness by 3rd Party Sends y Holds x Sends f(x,y) Holds y Third Party Auditor

Slide 15

Slide 15 text


 Fairness by 3rd Party Sends y Holds x Sends f(x,y) Holds y Third Party Auditor

Slide 16

Slide 16 text


 Fairness by 3rd Party Sends y Holds x Sends f(x,y) Holds y Third Party Auditor Evaluation of x, y and f(x,y) was correct.
 OK! Error in evaluation.
 Not OK!

Slide 17

Slide 17 text


 Fairness by 3rd Party Sends y Holds x Sends f(x,y) Holds y Third Party Auditor Evaluation of x, y and f(x,y) was correct.
 OK! Error in evaluation.
 Not OK! This approach delegates trust to the third party, and our security totally depends 
 on premise that auditor is not malicious or he is not hacked

Slide 18

Slide 18 text

Computational Integrity and Privacy (CIP) • Integrity of computation (CI): Bob wants to establish that an asserted NP statement by Alice is valid and True. • Confidentiality of input (P): If NP statement is true, the prover (Alice) can convince verifier (Bob) without leaking any information about her input. • Proofs of Knowledge: Bob wants a guarantee that agreed upon ‘secret input’ exists and Alice knows that ‘secret input ’ • Efficiency: Bob should be able to verify proof in bounded polynomial time.

Slide 19

Slide 19 text

Proof Systems A proof system S for language L is a pair S=(V,P) where V is verifier 
 and P is prover Verifier Prover

Slide 20

Slide 20 text

Proof Systems A proof system S for language L is a pair S=(V,P) where V is verifier 
 and P is prover Verifier Prover Prover should not be able to convince verifier a false statement with negligible probability Soundness

Slide 21

Slide 21 text

Proof Systems A proof system S for language L is a pair S=(V,P) where V is verifier 
 and P is prover Verifier Prover Prover should not be able to convince verifier a false statement with negligible probability Soundness Prover should be able to convince verifier true statement with absolute certainty Completeness

Slide 22

Slide 22 text

Proof Systems A proof system S for language L is a pair S=(V,P) where V is verifier 
 and P is prover Verifier Prover Prover should not be able to convince verifier a false statement with negligible probability Soundness Verifier should be able to verify the validity of arguments in polynomial time Efficiency Prover should be able to convince verifier true statement with absolute certainty Completeness

Slide 23

Slide 23 text

Proof Systems • Language “L” is NP-Complete. • “Karp’s Reduction”: A problem in NP-Complete can be converted to another problem in NP-Complete in polynomial time w.r.t to length of input. • So, if you can construct a proof for one problem, all other problems could be solved by converting to the prior problem. • Another advantage of such language is that they can be verified in bounded time, but cannot be solved easily.

Slide 24

Slide 24 text

Proof Systems

Slide 25

Slide 25 text

Proof Systems In short, proof systems mathematically validate the authenticity of
 a computation. Zero knowledge proofs are a subset of proof system, with an 
 additional constraint of “hiding” or “zero knowledge”.

Slide 26

Slide 26 text

Proof Systems In short, proof systems mathematically validate the authenticity of
 a computation. Zero knowledge proofs are a subset of proof system, with an 
 additional constraint of “hiding” or “zero knowledge”. Sends E(y) Holds x Sends E(f(x,y)) Holds y

Slide 27

Slide 27 text

Proof Systems In short, proof systems mathematically validate the authenticity of
 a computation. Zero knowledge proofs are a subset of proof system, with an 
 additional constraint of “hiding” or “zero knowledge”. Sends E(y) Holds x Sends E(f(x,y)) Holds y Here key element is that we have used E(..), a hiding scheme
 which does not reveal y to Alice and x is not revealed to Bob

Slide 28

Slide 28 text

Proof Systems In short, proof systems mathematically validate the authenticity of
 a computation. Zero knowledge proofs are a subset of proof system, with an 
 additional constraint of “hiding” or “zero knowledge”. Sends E(y) Holds x Sends E(f(x,y)) Holds y Here key element is that we have used E(..), a hiding scheme
 which does not reveal y to Alice and x is not revealed to Bob Both Alice and Bob Learns nothing

Slide 29

Slide 29 text

Prover Sends E(y) Holds x Sends E(f(x,y)) Holds y Verifier Round 1

Slide 30

Slide 30 text

Prover Sends E(y) Holds x Sends E(f(x,y)) Holds y Verifier Round 1 Prover Sends E(y’) Holds x Sends E(f(x,y’)) Holds y’ Verifier Round 2

Slide 31

Slide 31 text

Prover Sends E(y) Holds x Sends E(f(x,y)) Holds y Verifier Round 1 Prover Sends E(y’) Holds x Sends E(f(x,y’)) Holds y’ Verifier Round 2 Prover Sends E(y’’) Holds x Sends E(f(x,y’’)) Holds y’’ Verifier .
 .
 . Round k

Slide 32

Slide 32 text

Interactive ZK (Izk) • In previous construction, verifier and prover interactively solve puzzles while guarding their knowledge, and verifying the computation. • After k times, verifier will probabilistically be able to assert that prover has a very less probability to cheat, as he provided with different inputs, and prover has to provide right solution every time. (Soundness and Completeness) • That will only happen if prover knows right input and did right computation.

Slide 33

Slide 33 text

Non-interactive ZK (NIZK) • Interactive ZK involves active participation of two parties, and in practice, it is slow and hard to achieve. • NIZK proofs are preprocessed ZKP, which needs to be published at untampered memory. Blockchain could be such memory. • Interesting properties of NIZK proofs Publishes a proof π Generates VK and PK keys, so proof π can be mathematically reproduced by PK and verified by VK Needs a trusted setup to generate a CRS, which can be seen by both prover and verifier.

Slide 34

Slide 34 text

CRS Model • Initial parameters are randomly chosen using a good pseudorandom generator. • It requires a trusted setup. • These parameters are used to generate a “Common Reference String”, which can be seen by both Alice and Bob, or more formally Prover and Verifier. • The initial parameters used to generate CRS needs to be securely destroyed, otherwise CRS could be spoofed.

Slide 35

Slide 35 text

Till now • We saw the problem between Alice and Bob and explored some solutions along with third party • Saw the construction of interactive zero knowledge proofs and non-interactive zero knowledge proofs

Slide 36

Slide 36 text

What is ZK-SNARK ?

Slide 37

Slide 37 text

ZK-SNARKs • One of the recent development in NIZK proofs. Stands for Succinct non-interactive arguments of knowledge. • We need Proof length to be short (that’s why succinct) Verifiable in short amount of time (that’s why NI) And of course, we need to show that we know an input which yields a certain computation (that’s why ARKs)

Slide 38

Slide 38 text

ZK-SNARKs • Construction of ZK-SNARKs involves construction of two important pieces Cryptographic proof system for verifying satisfiability of arithmetic circuits Circuit generator to translate program executions to such circuits

Slide 39

Slide 39 text

Cryptographic Proof system for ZK-SNARKs • ZK-SNARKs exist for all problems in NP. For above construction we use Circuit-SAT satisfiability problem • It is NP-Complete problem, and a variant of Boolean Satisfiability problem. Efficient constructions from arbitrary program to arithmetic circuits exists in literature. Quadratic Arithmetic Program (QAP)

Slide 40

Slide 40 text

Cryptographic Proof system for ZK-SNARKs

Slide 41

Slide 41 text

Cryptographic Proof system for ZK-SNARKs Initial Parameters

Slide 42

Slide 42 text

Cryptographic Proof system for ZK-SNARKs Initial Parameters Arbitrary Program

Slide 43

Slide 43 text

Cryptographic Proof system for ZK-SNARKs Initial Parameters Arbitrary Program Arithmetic Circuit

Slide 44

Slide 44 text

Cryptographic Proof system for ZK-SNARKs Initial Parameters Arbitrary Program Arithmetic Circuit Key generation on trusted setup

Slide 45

Slide 45 text

Cryptographic Proof system for ZK-SNARKs Initial Parameters CRS Arbitrary Program Arithmetic Circuit Key generation on trusted setup

Slide 46

Slide 46 text

Cryptographic Proof system for ZK-SNARKs Initial Parameters CRS Destroy parameters Arbitrary Program Arithmetic Circuit Key generation on trusted setup

Slide 47

Slide 47 text

Cryptographic Proof system for ZK-SNARKs Initial Parameters CRS Destroy parameters Arbitrary Program Arithmetic Circuit Key generation on trusted setup

Slide 48

Slide 48 text

Cryptographic Proof system for ZK-SNARKs Initial Parameters CRS Destroy parameters Arbitrary Program Arithmetic Circuit Key generation on trusted setup

Slide 49

Slide 49 text

Cryptographic Proof system for ZK-SNARKs Initial Parameters CRS Destroy parameters Arbitrary Program Arithmetic Circuit Key generation on trusted setup Holds witness w and
 publishes proof π Evaluates π and 
 existence of w

Slide 50

Slide 50 text

Cryptographic Proof system for ZK-SNARKs • Arbitrary program is encoded to polynomials defined over a prime field Fp , where p is prime number. Computers are not good with handling arbitrary large numbers, so having a upper bound is good assumption Field arithmetic allows trapdoor functions, which are harder to solve unless secret trapdoor is known. For eg. Discrete logarithm problem. Arithmetic involves simple addition and multiplication defined over field i.e modular arithmetic Solve for: t(x)h(x) = w(x)v(x)

Slide 51

Slide 51 text

Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations.

Slide 52

Slide 52 text

Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. C program foo Input bar Additional input qux

Slide 53

Slide 53 text

Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. Exit Code 0 C program foo Input bar Additional input qux

Slide 54

Slide 54 text

Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. Exit Code 0 C program foo Input bar Additional input qux Arithmetic circuit foo

Slide 55

Slide 55 text

Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. Exit Code 0 C program foo Input bar Additional input qux Arithmetic circuit foo Accepts the partial 
 assignment bar, when
 extended into some 
 full assignment qux

Slide 56

Slide 56 text

Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. Exit Code 0 C program foo Input bar Additional input qux Arithmetic circuit foo Accepts the partial 
 assignment bar, when
 extended into some 
 full assignment qux f(x) Set of constraints foo

Slide 57

Slide 57 text

Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. Exit Code 0 C program foo Input bar Additional input qux Arithmetic circuit foo Accepts the partial 
 assignment bar, when
 extended into some 
 full assignment qux f(x) Set of constraints foo Accepts the partial 
 assignment bar, when
 extended into some 
 full assignment qux

Slide 58

Slide 58 text

Till now ZK-SNARK is a cryptographic method for proving/verifying, in zero knowledge, the integrity of computations. Exit Code 0 C program foo Input bar Additional input qux Arithmetic circuit foo Accepts the partial 
 assignment bar, when
 extended into some 
 full assignment qux f(x) Set of constraints foo Accepts the partial 
 assignment bar, when
 extended into some 
 full assignment qux Verifier accepts

Slide 59

Slide 59 text

How to construct ZK- SNARKs

Slide 60

Slide 60 text

Breaking down ZK-SNARKs logically 1. Homomorphic Hiding 2.From computations to polynomials 1. Blind evaluation of polynomials 2. Making blind evaluation of polynomials verifiable 3. Zero knowledge Construction 1. Satisfying QAP (Pinocchio Protocol ) 2. Pairings of elleptic curves

Slide 61

Slide 61 text

Homomorphic Hiding • In above equation, Prover should not be able to deduce “s”, so rather than providing input s, we provide E(x) s.t
 • E(x) is a homomorphic hiding scheme s.t I. Given E(x), it is hard to find x II. If x ≠ y, then E(x) ≠ E(y) III. E(x + y) = E(x) + E(y) • This is mainly used to hide verifier challenges t(x)h(x) = w(x)v(x) E(t(x))E(h(x)) = E(w(x))E(v(x))

Slide 62

Slide 62 text

Blind evaluation of 
 t(x)h(x) = w(x)v(x) • Solving for x will be really hard, as degree of this polynomial can go as much as 2^21 • To make our proof efficient, we chose a random s, s.t This reduces our problem to equating variables and doing simple multiplication and addition. Even so, it is compute intensive work. Instead of (s0 , s1 , s2 …sd ), we chose to send (E(s0 ), E(s1 ), E(s2 )…E(sd ) ), where d is degree of polynomial, and can be published in CRS. S is one of those parameters that needs to be destroyed. However Alice may ignore (E(s0 ), E(s1 ), E(s2 )…E(sd ) ) and pick her own values, so we need to verify the evaluation of polynomials t(s)h(s) = w(s)v(s)

Slide 63

Slide 63 text

Verifiable Blind Evaluation
 of polynomials • Knowledge of Coefficient Test (KC Test) • For α ∈ Fp, a pair (a,b) in G is an α pair if • a,b ≠ 0 • b = α . a • Given an α pair (a,b) • There exists no way to deduce a from b. • Only way to generate same α pair, is by selecting random k s.t k*b = α . (k* a)

Slide 64

Slide 64 text

Verifiable Blind Evaluation
 of polynomials • d-KCA Test : Suppose Bob choses random α ∈ Fp and s ∈ Fp and sends d alpha pairs (E(s0)…E(sd) ) and
 (α . E(s0)… α .E(sd) ) to Alice, and in return Alice returns one alpha pair (a’, b’), where with negligible probability Alice knows (c0, c1, c2…cd ) ∈ Fp s.t
 • Bob sends an alpha pair to Alice (s, α.s) s.t • Alice computes a = P(s) and b = αP(s) • Bob checks if b = α . a, and accepts if and only if equality holds. ∑i d ci si .g = a’

Slide 65

Slide 65 text

Satisfying QAP A Quadratic Arithmetic Program Q of degree d and size m consists of polynomials L1…Lm, R1…Rm, O1…Om and a target polynomial T of degree d. 
 An assignment (C1…Cm) satisfies Q if (i) L:= ∑i m ci Li (ii)R:= ∑i m ci Ri (iii) O:= ∑i m ci Oi (iv) P:= L . R - O , we have T divides P or P=H . T 
 As we saw earlier, we do not need to evaluate for x, but rather chose s ∈ Fp such that P(s) = H(s).T(s)

Slide 66

Slide 66 text

Satisfying QAP • Alice chooses polynomials L,R,O,H of degree at most d • Bob chooses a random point s ∈ Fp and computes E(T(s)) • Alice sends Bob the hidings of all these polynomials evaluated at s i.e. E(L(s)), E(R(s)), E(O(s)), E(H(s)) • Bob checks if the desired equation holds at s That is, he checks whether E(L(s)⋅R(s)−O(s))=E(T(s)⋅H(s)). To simplify construction we reduce L,R,O to a single polynomial F F=L+Xd+1⋅R+X2(d+1)⋅O *Note that all coefficients do not mix, as they are separated by degree d

Slide 67

Slide 67 text

Elliptic Curve Pairing • It is used for equality check for polynomials. • Since maths for this is a little tricky, it would be better if you check out these resources 1.Elliptic curve pairing 2.Exploring Elliptic curve pairing

Slide 68

Slide 68 text

References 1.Succinct Non-Interactive Zero Knowledge fro a von Neumann Architecture, Eli Ben-Sasson 2. ZK-Snarks in nutshell by Christian Reitwiessner 3. How ZK-Snarks work in zcash 4. ZK-Snarks under the hood by Vitalik Buterin 5. Pairing for beginners by Craig Costello