Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving - - PowerPoint PPT Presentation

amortized complexity of zero
SMART_READER_LITE
LIVE PREVIEW

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving - - PowerPoint PPT Presentation

Oct 19, 2023 253 likes •585 views

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack Ronald Cramer (CWI) Ivan Damgrd (AU) Chaoping Xing (NTU) ChenYuan (NTU) Eprint 2016/681 Integer One-Way Function (iOWF) maps integers to finite

slide-1
SLIDE 1

Amortized Complexity of Zero- Knowledge Proofs Revisited: Achieving Linear Soundness Slack

Ronald Cramer (CWI) Ivan Damgård (AU) Chaoping Xing (NTU) ChenYuan (NTU) Eprint 2016/681

slide-2
SLIDE 2

Integer One-Way Function (iOWF)

  • maps integers to finite group G
  • hard to invert
  • additively homomorphic

f: Z -> G (in paper: integer vectors to G) f(x+y) = f(x)+f(y)

slide-3
SLIDE 3

Integer One-Way Function (iOWF)

  • maps integers to finite group G
  • hard to invert
  • additively homomorphic

f: Z -> G (in paper: integer vectors to G) f(x+y) = f(x)+f(y) Examples:

  • encryption functions for many lattice-based

crypto-systems

  • lattice based hash-functions
  • integer commitment schemes
slide-4
SLIDE 4

Zero-Knowledge for iOWFs

Prover P claims he knows a small(short) preimage x for output value y = f(x).

slide-5
SLIDE 5

Zero-Knowledge for iOWFs

Prover P claims he knows a small(short) preimage x for output value y = f(x). Useful in many contexts:

slide-6
SLIDE 6

Zero-Knowledge for iOWFs

Prover P claims he knows a small(short) preimage x for output value y = f(x). Useful in many contexts:

  • Prove that ciphertext is well-formed, so it

decrypts uniquely

slide-7
SLIDE 7

Zero-Knowledge for iOWFs

Prover P claims he knows a small(short) preimage x for output value y = f(x). Useful in many contexts:

  • Prove that ciphertext is well-formed, so it

decrypts uniquely

  • Preimage of hash function is short enough, so

collisions are hard to find

slide-8
SLIDE 8

Simplistic Zero-Knowlegde

x P y=f(x) V claim: |x|< b

a= f(r) (“smallish”, random r) e (=0 or 1) z= r+ ex Check that f(z) = a +ey and z is small

slide-9
SLIDE 9

Simplistic Zero-Knowlegde

x P y=f(x) V claim: |x|< b

a= f(r) (“smallish”, random r) e (=0 or 1) z= r+ ex Check that f(z) = a +ey and z is small Problems (1): to make this be ZK, need that |r| is bigger than b by exponentially large factor, in security parameter k. Then, preimage we can extract from cheating prover is also large: we say the soundness slack is exp(k)

slide-10
SLIDE 10

Simplistic Zero-Knowlegde

x P y=f(x) V claim: |x|< b

a= f(r) (“smallish”, random r) e (=0 or 1) z= r+ ex Check that f(z) = a +ey and z is small Problems (2): must repeat protocol k times to get exp(-k) error probability. Taking e from larger domain does not work. We say the overhead is k.

slide-11
SLIDE 11

State of the Art and Our Results

Prove knowledge of a single preimage: we do not know how to reduce both overhead and soundness slack. Consider instead images y1,…,yn and the amortized cost of proving preimage knowledge.

slide-12
SLIDE 12

State of the Art and Our Results

Prove knowledge of a single preimage: we do not know how to reduce both overhead and soundness slack. Consider instead images y1,…,yn and the amortized cost of proving preimage knowledge. [CD09]: overhead O(1), soundness slack exp(k) [BDLN16]: overhead O(1), soundness slack O(n klog(k))

slide-13
SLIDE 13

State of the Art and Our Results

Prove knowledge of a single preimage: we do not know how to reduce both overhead and soundness slack. Consider instead images y1,…,yn and the amortized cost of proving preimage knowledge. [CD09]: overhead O(1), soundness slack exp(k) [BDLN16]: overhead O(1), soundness slack O(n klog(k)) This work:

  • verhead O(1), soundness slack O(k)
slide-14
SLIDE 14

State of the Art and Our Results

Prove knowledge of a single preimage: we do not know how to reduce both overhead and soundness slack. Consider instead images y1,…,yn and the amortized cost of proving preimage knowledge. [CD09]: overhead O(1), soundness slack exp(k) [BDLN16]: overhead O(1), soundness slack O(n klog(k)) This work:

  • verhead O(1), soundness slack O(k)
  • Need that n is k2 constants are small, practical solution.
  • Can reduce to k1.5 (and better in subsequent work)

theoretical interest.

slide-15
SLIDE 15

The Construction

”Imperfect Proof” borrowed from [BDLN16]: Cut-and-choose + Lyubashevsky’s rejection sampling. Overhead O(1), Soundness slack O(1) Ensures that we can extract from P a small preimage of all but k of the yi. Improved version in [dPL17].

slide-16
SLIDE 16

The Construction

”Imperfect Proof” borrowed from [BDLN16]: Cut-and-choose + Lyubashevsky’s rejection sampling. Overhead O(1), Soundness slack O(1) Ensures that we can extract from P a small preimage of all but k of the yi. Improved version in [dPL17]. Main Protocol (our contribution) Use Imperfect proof, homomorphic property and a bipartite graph with good expansion properties to get protocol from which we can extract all preimages.

slide-17
SLIDE 17

Using a Bipartite graph

. . . . . . . . . . . .

  • n nodes on the left and right
slide-18
SLIDE 18

Using a Bipartite graph

. . . . . . . . . . . .

  • n nodes on the left and right
  • Assign yi to i’th node on the left.

y1 y2 yn y3

slide-19
SLIDE 19

Using a Bipartite graph

. . . . . . . . . . . .

  • n nodes on the left and right
  • Assign yi to i’th node on the left.
  • Assign to each node on the right the sum of values

from it neighbors y1 y2 yn y3 y1+y3+yn y2+yn

slide-20
SLIDE 20

Using a Bipartite graph 2

. . . . . . . . . . . .

  • Use Imperfect Proof on values on the left, and also
  • n values on the right.

y1 y2 yn y3 y1+y3+yn y2+yn

slide-21
SLIDE 21

Using a Bipartite graph 2

. . . . . . . . . . . .

  • Use Imperfect Proof on values on the left, and also
  • n values on the right.
  • We can extract from P small preimages of almost

all instances. y1 y2 yn y3 y1+y3+yn y2+yn = f(z) f(x1) = f(x2) = f(x3) =

slide-22
SLIDE 22

Using a Bipartite graph 2

. . . . . . . . . . . .

  • Use Imperfect Proof on values on the left, and also
  • n values on the right.
  • We can extract from P small preimages of almost

all instances.

  • Say we fail on 1 instance on both sides

y1 y2 yn y3 y1+y3+yn y2+yn = f(z) f(x1) = f(x2) = f(x3) =

slide-23
SLIDE 23

Using a Bipartite graph 3

. . . . . . . . . . . .

  • We failed on yn, but if we can find a place on the

right where 1) we succeeded and 2) yn is “alone”, we are good:

  • yn= f(z)- y1- y3 = f(z- x1- x3)
  • If |z|, |x1|, |x3| are < b, then |z-x1-x3| < 3b

y1 y2 yn y3 y1+y3+yn y2+yn = f(z) f(x1) = f(x2) = f(x3) =

slide-24
SLIDE 24

Requirements on the graph

. . . . . . . . . . . .

  • In-degree on the right: O(k) - then soundness slack is O(k).
  • Strong unique neighbor property: Consider any two subsets
  • f size k, A on the left, B on the right. For each a in A there

exists b not in B such that {a} = A Neighborhood(b) - then extraction works. a b U A B

slide-25
SLIDE 25

Construction of good graphs 1

In general, related to graphs with good expansion properties, but known results don’t do what we

  • want. We get the result we need from universal

hash functions.

slide-26
SLIDE 26

Construction of good graphs 1

In general, related to graphs with good expansion properties, but known results don’t do what we

  • want. We get the result we need from universal

hash functions. Let p > 2k+1 be a prime and F the field with p

  • elements. A member in our family H is defined by

h in F. We define h(a0,a1) = ha0+a1.

slide-27
SLIDE 27

Construction of good graphs 1

In general, related to graphs with good expansion properties, but known results don’t do what we

  • want. We get the result we need from universal

hash functions. Let p > 2k+1 be a prime and F the field with p

  • elements. A member in our family H is defined by

h in F. We define h(a0,a1) = ha0+a1. Set of nodes on the left: X= FxF Set of nodes on the right: Y= HxF

slide-28
SLIDE 28

Construction of good graphs 1

In general, related to graphs with good expansion properties, but known results don’t do what we

  • want. We get the result we need from universal

hash functions. Let p > 2k+1 be a prime and F the field with p

  • elements. A member in our family H is defined by

h in F. We define h(a0,a1) = ha0+a1. Set of nodes on the left: X= FxF Set of nodes on the right: Y= HxF Edge from (a0,a1) to (h,b) iff h(a0,a1) = b.

slide-29
SLIDE 29

Construction of good graphs 2

. . . . . . . . . . . .

  • Edge exists iff h(a0,a1) = ha0+a1 = b
  • We get a good graph with n <=16k2 nodes on each side and

in-degree O(k).

  • In-degree is clear, for strong unique neighbor property, see

paper. a= (a0,a1) (h,b)

slide-30
SLIDE 30

Alternative Construction

..can be based on certain known graphs with good expansion properties. We adapt previous proofs techniques to get the properties we need. We get n = O(k3) and strong unique neighbor property only holds in a probabilistic sense. BUT: is still useful even when n << k3: implies a protocol that reduces the number of unknown preimages significantly. Can combine with first result to get soundness slack O(k), overhead O(1) with n= O(k1.5).

slide-31
SLIDE 31

Acknowledgement: to Omer Reingold for an idea leading to the n=O(k2) result.

slide-32
SLIDE 32

Acknowledgement: to Omer Reingold for an idea leading to the n=O(k2) result.

Thanks!