Cryptography for Blockchains beyond ECDSA and SHA256

Transcription

1 Cryptography for Blockchains beyond ECDSA and SHA256 S IGNATURES AND Z ERO K NOWLEDGE P ROOFS Benedikt Bünz Stanford University

2 Overview 1. Signatures 1. ECDSA 2. BLS 3. Threshold Signatures 4. Ring Signatures 5. Blind Signatures 2. Zero-Knowledge Proofs 1. An illustrative example (SUDOKU) 2. Sigma protocols 3. SNARKs 4. PCPs, CS-Proofs and STARKs 5. Bulletproofs

3 Signatures Did Bob or Bart say this? Send 1 BTC to Alice Bob Alice Bart

4 Signatures Did Bob or Bart say this? Send 1 BTC to Alice Bob Bob Alice Bart

5 Signature (Formal Definiton) Keygen (sk,pk) Sign (sk,m) σ Verify(pk, σ,m) {0,1} Correctness: Verify(PK,SIGN(SK,M),M)=1 SECURITY: After seeing n signatures no adversary can create a signature on new message

6 Signature (Diagram) (sk,pk) Keygen pk σ Sign(sk,m) m, σ Verify(pk, m, σ)

7 Signature (ECDSA) Used in Bitcoin (and other Cryptocurrencies) Designed because of a patent conflict Malleable: Given (pk,σ,m)-> σ % with Verify(pk,σ %,m) -> Transaction malleability -> Fooled Mt. Gox Cash Out Twice After seeing n signatures no adversary can create a new signature on any message

8 Preliminaries: Discrete Log and Pairings Random x Z * Given g, g. G it s hard to produce x Pairing (Bilinear Map) e: G, > G 4, G is a special elliptic curve g 5, g 6 G, e g 5, g 6 = e g, g 5 6 e g 5, h = e g, h 5 = e g, h 5 e(g, u v) = e(g, u) e(g, v)

9 BLS: Signatures Eliptic curve G with pairing e and generator g H is a hash function that hashes into G Setup: x < Z *. sk: x, pk: g, g. Sign(x,m): σ = H m. Verify(g, g., σ,m): e σ, g =?

10 BLS: Signatures Eliptic curve G with pairing e and generator g H is a hash function that hashes into G Setup: x < Z *. sk: x, pk: g, g. Sign(x,m): σ = H m. Verify(g, g., σ,m): e σ, g =? e H(m), g. e σ, g

11 BLS: Signatures Eliptic curve G with pairing e and generator g H is a hash function that hashes into G Setup: x < Z *. sk: x, pk: g, g. Sign(x,m): σ = H m. Verify(g, g., σ,m): e σ, g =? e H(m), g. e σ, g = e H m., g

12 BLS: Signatures Eliptic curve G with pairing e and generator g H is a hash function that hashes into G Setup: x < Z *. sk: x, pk: g, g. Sign(x,m): σ = H m. Verify(g, g., σ,m): e σ, g =? e H(m), g. e σ, g = e H m., g = e H m, g.

13 BLS: Signatures Eliptic curve G with pairing e and generator g H is a hash function that hashes into G Setup: x < Z *. sk: x, pk: g, g. Sign(x,m): σ = H m. Verify(g, g., σ,m): σ is 32 bytes! e σ, g =? e H(m), g. e σ, g = e H m., g = e H m, g. = e H m, g.

14 BLS Properties: Deterministic m H m. x No randomness, impossible to have two valid signatures for a message, public key pair

15 BLS Properties: Signature aggregation pk D, m D, σ D and pk E, m E, σ E Aggregate signature σ = σ D σ E Verify(g, pk D, pk E, m D, m E, σ): e σ, g = e σ, g =? e H(m), g.

16 BLS Properties: Signature aggregation pk D, m D, σ D and pk E, m E, σ E Aggregate signature σ = σ D σ E Verify(g, pk D, pk E, m D, m E, σ): e σ, g = e H m D, pk D e(h(m E ), pk E ) e σ, g = e σ D σ E, g e σ, g =? e H(m), g.

17 BLS Properties: Signature aggregation pk D, m D, σ D and pk E, m E, σ E e σ, g =? e H(m), g. Aggregate signature σ = σ D σ E Verify(g, pk D, pk E, m D, m E, σ): e σ, g = e H m D, pk D e(h(m E ), pk E ) e σ, g = e σ D σ E, g = e σ D, g e σ E, g e σ D, g = e H m D, pk D e σ E, g = e H m E, pk E e σ D, g e σ E, g = e H m D, pk D e H m E, pk E

18 BLS Properties: Signature aggregation Take n signatures under n public keys on n messages and create a single small signature Each Bitcoin transaction includes public key and is message Take all Bitcoin transactions in a block and create a single signature Take all Bitcoin transactions in the blockchain and have a single signature 32 bytes!

19 Threshold Signature (Diagram) Different from multisig (1 pk) (sk 1,,sk n,pk ) Keygen(t,n) pk σ Sign(sk 1,,sk t,m) m, σ Verify(pk,m, σ)

20 Threshold Difficult for ECDSA (Gennaro et al. 16) Easy for Schnorr, BLS Indistinguishable from normal signature (privacy benefits) Can support 1000s of keys/ signatures don t grow with (t,n)

21 Threshold signature from Shamir secret sharing

22 Ring Signature (Diagram) (sk 1,,sk n,pk ) Keygen(t,n) pk σ Sign(sk i,m) m, σ Verify(pk,m, σ) σ hides i

23 Ring Signatures Used in Monero to hide sender Monero s signatures are linear in n Can be logarithmic in n (Bootle et al. 2015)

24 Blind Signature (Diagram) (sk,pk ) Keygen(t,n) pk c c=commit(m;r) b BlindSign(sk,c) b σ =Unblind(pk,b,r) s.t. Verify(pk,m, σ)=1

25 Blind Signature Separate Custodian from transaction details

26 Zero Knowledge Proofs of Knowledge SUDOKUS, SNARKS, STARKS AND BULLETS

27 Zero Knowledge Proof of Knowledge No idea what the solution is But Alice must know it I know the solution to this complex equation Prove it Challenge Response

28 Zero Knowledge Proof of Knowledge Applications Confidential Transactions Mimblewimble ZeroCash Hawk Zero-Knowledge contingent payments Proofs of Solvency for Bitcoin Exchanges Confidential Payment Channels Blockchain compression

29 SUDOKU

30 SUDOKU

31 Zero-Knowledge SUDOKU Can you help me with this Sudoku? If you pay me! Prove that you know the solution first Ok

32 Zero-Knowledge SUDOKU (Gradwohl et al. 05)

33 Zero-Knowledge SUDOKU Open Row 4

34 Zero-Knowledge SUDOKU Open Column 2

35 Zero-Knowledge SUDOKU Open Box 1

36 Zero-Knowledge SUDOKU Show original puzzle

37 Zero-Knowledge SUDOKU Analysis P[Cheating] EF EG Open Row/Column/Box/Original

38 Zero-Knowledge SUDOKU Amplifying 1 try: tries: tries: tries: tries: 2 IJE Repeat Open Row/Column/Box/Original

39 Problem: Bob learns solution 1 try: tries: tries: tries: tries: 2 IJE Repeat Open Row/Column/Box/Original New permutation in every round

40 Zero-Knowledge 1 try: tries: tries: tries: tries: 2 IJE Repeat Open Row 1 New permutation in every round

41 Zero-Knowledge 1 try: tries: tries: tries: tries: 2 IJE Repeat Open Row 1 New permutation in every round

42 Zero-Knowledge 1 try: tries: tries: tries: tries: 2 IJE Repeat Open Box 2 New permutation in every round

43 Zero-Knowledge for public keys (Sigma protocol) I know x such that g x =y r Z * A = g < s = r + c z c s c Z * g P =?

44 Zero-Knowledge for public keys (Sigma protocol) I know x such that g x =y r Z * A = g < s = r + c z c s c Z * g P =? A y S A y S = g < g. S g < g. S = g <T. S

45 Non-Interactive Zero-Knowledge (NIZK) I know x such that g x =y r Z * A = g < s = r + c z c s c Z * g P =? A y S A y S = g < g. S g < g. S = g <T. S

46 Non-Interactive Zero-Knowledge (NIZK) I know x such that g x =y r Z * A = g < s = r + c z c s c Z * g P =? A y S A y S = g < g. S g < g. S = g <T. S

47 Non-Interactive Zero-Knowledge (NIZK) I know x such that g x =y r Z * A = g < c = H(A, y) s = r + c z s g P =? A y S A y S = g < g. S g < g. S = g <T. S

48 Non-Interactive Zero-Knowledge (NIZK) I know x such that g x =y r Z * A = g < c = H(A, y) s = r + c z π = (A, c, s) g P =? A y S c =? H(A, y)

49 Schnorr signature I know x such that g x =y r Z * A = g < c = H(A, y) s = r + c z π = (A, c, s) g P =? A y S g P =? A y S c =? H(A, y)

50 Schnorr signature I know x such that g x =y r Z * A = g < c = H(A, y, M) s = r + c z σ = A, c, s, M g P =? A y S c =? H(A, y, M)

51 Sigma protocols Good for NIZKs in public key systems Range proofs Proofs of solvency (Dagher et al. 15) Not good for more complicated statements

52 Proofs for complex statement I know x such that H(x)=y/ This is the correct blockchain π

53 Goal: Succinct proofs I know x such that H(x)=y/ This is the correct blockchain π Proof is a 100 bytes no matter what the statement is Verifying it takes ms

54 Preprocessing SNARK Open Row 7

55 Preprocessing SNARK: Idea sent queries once This can be reused Open Row 7,Row 13, Column 4, Box 1 and the perm Special compression function to compress answers (Pairing) Compressed response: π

56 Preprocessing SNARK: Idea sent queries once This can be reused Open Row 7,Row 13, Column 4, Box 1 and the perm Special compression function to compress answers (Pairing) If Alice knows queries She can cheat Compressed response: π

57 Preprocessing SNARK: Encrypt queries This can be reused Open Row 7,Row 13, Column 4, Box 1 and the perm Special compression function to compress answers (Pairing) If Alice knows queries She can cheat Compressed response: π

58 Preprocessing SNARK: Encrypt queries This can be reused Open Row 7,Row 13, Column 4, Box 1 and the perm Special compression function to compress answers (Pairing) Compressed response: π

59 Preprocessing SNARK: Trusted Setup Encrypted Queries Short Encrypted Answers Setup slow Special compression function to compress answers (Pairing) Proving slow Compressed response: π Verify π Using encrypted answers Verification fast

60 Preprocessing SNARK: Malicious Setup Encrypted Queries Short Encrypted Answers Can create cheating proofs Special compression function to compress answers (Pairing) Compressed response: π Verify π Using encrypted answers

61 Preprocessing SNARK: Use multiple parties Encrypted Queries Short Encrypted Answers Special compression function to compress answers (Pairing) ZCash did this Compressed response: π Verify π Using encrypted answers

62 PCP Theorem Open 2 fields PCP Theorem: For any sized Sudoku, P[Cheating]<= 1/3

63 CS-Proofs (use Fiat-Shamir) (Micali 91) Commit: Open 2 fields=h(commit) PCP Theorem: For any sized Sudoku, P[Cheating]<= 1/3

64 CS-Proofs (use Fiat-Shamir) (Micali 91) Commit: Open 2 fields=h(commit) Not practical

65 STARKs (Ben-Sasson 17) Making strides 2 DX cycles 131 GB Ram usage 1.8 MB proofs Commit: Open 2 fields=h(commit)

66 Dreaming of STARKs ZCash without trusted setup Blockchain aggregation (doesn t need Zero-Knowledge) Confidential smart contracts Resolving verifiers dilema Generic verifiable computation (Outsourcing) Very active research area but still not there

67 Bulletproofs (Short proofs but linear verification) Bünz et al. 17 based on Bootle et al. 16 Proofs are very short (log(n) for statement of size n) Verification is like proving (slow) Replacement for Sigma protocols No trusted setup! Just discrete log assumption

68 Bulletproofs (What is it good for?) Range proofs for confidential transactions/mimblewimble 670 bytes instead of 4 KB per range proof Aggregation: Two range proofs 736 bytes vs. 8 KB 16 range proofs 928 bytes vs. 61KB Mimblewimble size: 17 GB vs 160 GB Built in: simple CoinJoin protocol for combining confidential transactions Solvency proofs Verifiable shuffles NIZKs for Smart Contracts

69 References (Signatures) BLS ECDSA Threshold: BLS/Schnorr Threshold: Ring Signatures: Blind Signatures:

70 References (Proofs) Provisions: Zero-Knowledge contingent payments: Zero-cash: ZK-SUDOKU: Sigma Protocols: ftp://ftp.inf.ethz.ch/pub/crypto/publications/cradam98.pdf SNARKs: (Groth first SNARK) (GGPR SNARKs of today) (Pinocchio the most used) (SNARKs for C) PCPs: CS Proofs: STARKs: Bulletproofs:

71 Thank you! CS. STANFORD. EDU