Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs

Transcription

1 Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs Jens Groth University College London Mary Maller University College London Crypto Santa Barbara: 21/08/2017

2 How can a sender of a message prove themselves trustworthy without revealing who they are? 2 of 23

3 Example: Bitcoin Pay Alice a coin Signed: aaaaaaa Bitcoin uses digital signatures: Trustworthy? Anonymous? Bob Bob s wallet 3 of 23

4 Example: Bitcoin Bob Bob s wallet Pay Alice a coin Signed: aaaaaaa Bitcoin uses digital signatures: Trustworthy? Bob can always convince the verifiers. An adversary cannot forge Bob s signature. An adversary cannot use Bob s signature on a different message. Anonymous? 3 of 23

5 Example: Bitcoin Bob Bob s wallet Pay Alice a coin Signed: aaaaaaa Bitcoin uses digital signatures: Trustworthy = Anonymous = Pseudonymous Bob s real name might be Roberta. Can often uncover Bob s real world identity based on what he spends. 3 of 23

6 Example: Zerocoin Example: Zerocoin Owner of an unspent coin Pay Alice a coin Signed: aaaaaaa Zerocoin uses signatures of knowledge: Trustworthy? The owner of an unspent coin can compute a signature. A person without an unspent coin cannot compute a signature. A signature cannot be adapted for use on a different message. Anonymous? 4 of 23

7 Example: Zerocoin Owner of Bob an unspent coin Pay Alice a coin Signed: aaaaaaa Zerocoin uses signatures of knowledge: Trustworthy = Anonymous = Signature of knowledge provides no additional information as to who the spender is. 4 of 23

8 Example: Zerocoin Example: Zerocoin Owner of Bob an unspent coin Pay Alice a coin Signed: aaaaaaa Zerocoin uses signatures of knowledge: Trustworthy = Anonymous = Signature of knowledge provides no additional information as to who the spender is. However signatures of knowledge are large and take a long time to verify => Zerocoin not efficient. 4 of 23

9 Example: Zcash Example: Zcash Owner of Bob an unspent coin Pay Alice a coin Signed: aaaaaaa Zcash uses zk-snarks: Trustworthy? Anonymous? zk-snarks provides no additional information as to who the spender is. zk-snarks are small and take a small time to verify => Zcash is efficient. 5 of 23

10 Owner of Bob an unspent coin Pay Alice a coin Signed: aaaaaaa Standard zk-snarks do not provide this property. Zcash has to take additional steps to prevent transaction malleability. Example: Zcash Example: Zcash Zcash uses zk-snarks: Trustworthy = The owner of an unspent coin can compute a proof. A person without an unspent coin cannot compute a proof. A proof cannot be adapted for use on a different message????? Anonymous = 5 of 23

11 Our Contributions We construct the first simulation-extractable SNARK (SE-SNARK). We exploit a link between signatures of knowledge and SE-SNARKs to also get the first succinct signature of knowledge. Ingredients: 1. Asymmetric bilinear groups; 2. Square arithmetic programs; 3. External power knowledge of exponent assumption; 4. Computational assumption. 6 of 23

12 Plan Definitions Square Arithmetic Programs Construction Efficiency

13 Asymmetric Bilinear Groups prime bp = p, G, H, T, e Function e: G H T Groups of order p There are efficient algorithms for deciding group membership and computing group operations; No isomorphism between G and H is efficiently computable in either direction. Properties: Bilinearity: e G a, H b = e(g, H) ab Non-degeneracy: if X 1 and Y 1 then e X, Y 1 Efficient: e is efficiently computable. 7 of 23

14 SE-SNARK Simulation-Extractable zero-knowledge Succinct Non-interactive ARgument of Knowledge 8 of 23

15 SE-SNARKs A person knows a witness for an instance Φ. Properties: Correct: Zero Knowledge: Sound: A person who knows a witness can always convince the verifier. The verifier learns no information from the proof except that the instance is true. A false statement cannot be proven. Simulation-Extractable: Old proofs cannot be used to forge new proofs of false statements. 9 of 23

16 Zero-Knowledge Zero Knowledge: The verifier learns no information from the proof except that the instance is true. CRS (CRS, τ) Setup(R) CRS, τ π f(crs, Φ, w) π ρ τ (CRS, Φ) 10 of 23

17 Zero-Knowledge Zero Knowledge: The verifier learns no information from the proof except that the instance is true. CRS (CRS, τ) Setup(R) CRS, τ π f(crs, Φ, w) π ρ τ (CRS, Φ) π 10 of 23

18 Zero-Knowledge Zero Knowledge: The verifier learns no information from the proof except that the instance is true. CRS (CRS, τ) Setup(R) CRS, τ π f(crs, Φ, w) π ρ τ (CRS, Φ) π 10 of 23

19 Zero-Knowledge Zero Knowledge: The verifier learns no information from the proof except that the instance is true. CRS (CRS, τ) Setup(R) CRS, τ π f(crs, Φ, w) π ρ τ (CRS, Φ) Did the prover use the witness or the trapdoor to compute π? 10 of 3

20 Simulation-Extractability Simulation-Extractable: Old proofs cannot be used to forge new proofs of false statements. CRS (CRS, τ) Setup(R) Φ i CRS, τ π f(crs, Φ,?? ) ORACLE π i ρ τ (CRS, Φ i ) I know a witness for Φ π i (Φ, π) EITHER Φ, π = (Φ i, π i ) 11 of 23

21 Simulation-Extractability Simulation-Extractable: Old proofs cannot be used to forge new proofs of false statements. (CRS, τ) Setup(R) CRS CRS, τ Φ i Implies Soundness π f(crs, Φ,?? ) ORACLE π i ρ τ (CRS, Φ i ) I know a witness for Φ π i (Φ, π) EITHER Φ, π = (Φ i, π i ) 11 of 23

22 Succinctness The size of the proof and the time taken to verify a proof does not depend on the size of the witness. 12 of 23

23 Signature of Knowledge A person who knows a witness for an instance Φ has signed a message. Properties: Correct: Zero Knowledge: Sound: A person who knows a witness can always convince the verifier. The verifier learns no information from the signature except that the instance is true. A false statement cannot be signed. Simulation-Extractable: Old signatures cannot be used to forge new signatures of false statements. 13 of 23

24 Plan Definitions Square Arithmetic Programs Construction Efficiency

25 Arithmetic Circuits u 1 v 1 u 2 v 2 u 1 v3 w 2 w 3 w 1 v u 2 4 w 5 u 3 v 4 w 4 Encoding of NP languages. The instance is some of the wire values that are revealed. The witness is the value of the remaining wires. 14 of 23

26 Arithmetic Circuits u 1 v 1 u 2 v 2 u 1 v3 w 2 w 3 u 1 = 5 w 1 v u 2 w 4 4 w 5 u 3 v 4 w 2 = 7 Encoding of NP languages. The instance is some of the wire values that are revealed. The witness is the value of the remaining wires. 14 of 23

27 Arithmetic Circuits u 1 v 1 u 2 v 2 u 1 v3 w 2 w 3 w 1 v u 2 4 w 5 u 3 v 4 w 4 Prover commits to values of wires. Prover shows Output wires consistent with input wires. Multiplication and addition gates calculated correctly. 14 of 23

28 Quadratic Arithmetic Programs [GGPREurocrypt13] Relation described by degree n 1 polynomials R = p, l, u i X, v i X, w i X m i=0, t X degree n polynomial Instance Φ = (s 1,, s l ) and witness w = (s l+1,, s m ) satisfy arithmetic circuit C if and only if σ m i=0 s i u i (X) σ m i=0 s i v i (X) = σ m i=0 s i w i (X) + mod t(x) 15 of 23

29 Quadratic Arithmetic Programs [GGPREurocrypt13] Relation described by degree n 1 polynomials R = p, l, u i X, v i X, w i X m i=0, t X degree n polynomial Instance Φ = (s 1,, s l ) and witness w = (s l+1,, s m ) satisfy arithmetic circuit C if and only if σ m i=0 s i u i (X) σ m i=0 s i v i (X) = σ m i=0 s i w i (X) + mod t(x) s 0 = 1 15 of 23

30 Square Arithmetic Programs We can ensure that left input wires and right input wires are the same if we double the size of the circuit. Relation described by R = p, l, u i X, w i X (s 1,, s m ) satisfy circuit C if and only if s 0 = 1 σ m i=0 s i u i X 2 = σ m i=0 degree 2n 1 polynomials m i=0, t X s i w i (X) + mod t(x) degree 2n polynomial 16 of 23

31 Plan Definitions Square Arithmetic Programs Construction Efficiency

32 Groth Eurocrypt 2016 Construction Instance = Φ v u 1 v 2 1 u u v3 1 2 w 2 w 3 w 1 Commitment to left input wires Commitment to right input wires u 3 v 4 Proof = (A, B, C) group elements. u 4 v 2 w 4 Commitment to output wires w 5 17 of 23

33 Groth Eurocrypt 2016 Construction Instance = Φ Verification Equation: Proof = (A, B, C) group elements. Known function of Φ e(a, B) = e(g α, H β )e(g f Φ 1 δ 1, H δ 1)e(C, H δ ) secret Each of these pairings contribute towards knowledge soundness 17 of 23

34 Groth Eurocrypt 2016 is Sound Multiplication and addition gates evaluated correctly e(a, B) = e(g α, H β )e(g f Φ 1 δ 1, H δ 1)e(C, H δ ) α, β ensure internal wires are consistent Hard to find G f(φ) or H f(φ) = prover must use their witness. 18 of 23

35 Groth Eurocrypt 2016 not SE Suppose A, B, C satisfy e(a, B) = e(g α, H β )e(g f Φ 1 δ 1, H δ 1)e(C, H δ ) Then so does A, B H r, A r C Then so does A r, B 1 r, C 19 of 23

36 Our Techniques: 1 Suppose A, B, C satisfy e(ag α, BH β ) = e(g α, H β )e(g f Φ 1 δ 1, H δ 1)e(C, H δ ) Second verification equation e(a, H γ ) = e(g γ, B) Then so does A r, B 1 r, C 20 of 23

37 Our Techniques: 2 CRS contains H, G γ, H γ but not G Suppose A, B, C satisfy e AG α, BH β = e G α, H β e G f Φ, H γ e C, H e(a, H γ ) = e(g γ, B) Cannot calculate C from the CRS Then so does A, B = BH r, C??? Need second verification equation Implies C contains a factor of γ 2 Implies A = AG r Implies r depends on γ 21 of 23

38 Our Techniques: 2 CRS contains H, G γ, H γ but not G Suppose A, B, C satisfy e AG α, BH β = e G α, H β e G f Φ, H γ e C, H e(a, H γ ) = e(g γ, B) Cannot calculate C from the CRS Then so does A, B = BH r, C??? Need second verification equation Implies C contains a factor of γ 2 Implies A = AG r Implies r depends on γ 21 of 23

39 Our Techniques: 2 CRS contains H, G γ, H γ but not G Suppose A, B, C satisfy e AG α, BH β = e G α, H β e G f Φ, H γ e C, H e(a, H γ ) = e(g γ, B) Cannot calculate C from the CRS Then so does A, B = BH r, C??? Need second verification equation Implies C contains a factor of γ 2 Implies A = AG r Implies r depends on γ 21 of 23

40 Our Techniques: 2 CRS contains H, G γ, H γ but not G Suppose A, B, C satisfy e AG α, BH β = e G α, H β e G f Φ, H γ e C, H e(a, H γ ) = e(g γ, B) Cannot calculate C from the CRS Then so does A, B = BH r, C??? Need second verification equation Implies C contains a factor of γ 2 Implies A = AG r Implies r depends on γ 21 of 23

41 Our Techniques: 2 CRS contains H, G γ, H γ but not G Suppose A, B, C satisfy e AG α, BH β = e G α, H β e G f Φ, H γ e C, H e(a, H γ ) = e(g γ, B) Cannot calculate C from the CRS Then so does A, B = BH r, C??? Need second verification equation Implies C contains a factor of γ 2 Implies A = AG r Implies r depends on γ 21 of 23

42 Plan Definitions Square Arithmetic Programs Construction Efficiency

43 Efficiency Public parameters and prover computation a bit higher than the others. Verifier computation is low Verifier equations are minimal for SE-SNARKs Proof in full version Proof size is minimal for SE-SNARKs eprint.iacr.org/2017/540 Implemented in libsnark by Popovs, Chiesa, and Virza github.com/scipr-lab/libsnark/tree/master/libsnark/zk_proof_systems/ppzksnark/r1cs_se_ppzksnark 23 of 23

44 Thank-you for listening