Professional Documents
Culture Documents
Lecture 11
Lecture 11
Cryptographic Proofs
2 ZKP MOOC
What does theoretical research
on proof systems look like?
3 ZKP MOOC
Credit: Faithie/Shutterstock
Theoretical Research on Cryptographic Proofs
Feasibility (do they exist in principle?)
▪ SNAR(G/K)s, other protocols (ZK, WI, WH, etc.)
▪ Strong attack models (Concurrent? Quantum?)
Improve efficiency
▪ Amount of communication, number of rounds
▪ Prover/verifier efficiency
4 ZKP MOOC
Theoretical Research on Cryptographic Proofs
Feasibility (do they exist in principle?)
▪ SNAR(G/K)s, other protocols (ZK, WI, WH, etc.)
▪ Strong attack models (Concurrent? Quantum?)
Improve efficiency
▪ Amount of communication, number of rounds
▪ Prover/verifier efficiency
5 ZKP MOOC
Theoretical Research on Cryptographic Proofs
Feasibility (do they exist in principle?)
▪ SNAR(G/K)s, other protocols (ZK, WI, WH, etc.)
▪ Strong attack models (Concurrent? Quantum?)
Improve efficiency
▪ Amount of communication, number of rounds
▪ Prover/verifier efficiency
6 ZKP MOOC
Theoretical Research on Cryptographic Proofs
Feasibility (do they exist in principle?)
▪ SNAR(G/K)s, other protocols (ZK, WI, WH, etc.)
▪ Strong attack models (Concurrent? Quantum?) +Applications
Minimize Assumptions (to the extent possible)
▪ Trusted setup (CRS/URS/plain model)
▪ Security reduction based on simple, well-studied, falsifiable assumptions.
Improve efficiency
▪ Amount of communication, number of rounds
▪ Prover/verifier efficiency
7 ZKP MOOC
Example: Interactive ZK
8 ZKP MOOC
Credit: Faithie/Shutterstock
Interactive Zero-Knowledge Protocols
▪ No trusted setup allowed.
▪ Security against Malicious verifier hard to guarantee.
▪ Lecture 1: ZK for NP [GMW86] with inverse poly
soundness error. How do we reduce the error?
▪ Sequential repetition works (but very inefficient).
▪ Parallel repetition reduces soundness error but *may not*
preserve ZK! Let’s see why:
9 ZKP MOOC
Interactive Zero-Knowledge Protocols
▪ No trusted setup allowed.
▪ Security against Malicious verifier hard to guarantee.
▪ Lecture 1: ZK for NP [GMW86] with inverse poly
soundness error. How do we reduce the error?
▪ Sequential repetition works (but very inefficient).
▪ Parallel repetition reduces soundness error but *may not*
preserve ZK! Let’s see why:
10 ZKP MOOC
Interactive Zero-Knowledge Protocols
▪ No trusted setup allowed.
▪ Security against Malicious verifier hard to guarantee.
▪ Lecture 1: ZK for NP [GMW86] with inverse poly
soundness error. How do we reduce the error?
▪ Sequential repetition works (but very inefficient).
▪ Parallel repetition reduces soundness error but *may not*
preserve ZK! Let’s see why:
11 ZKP MOOC
Zero Knowledge Proofs for NP
𝑎 𝑏
𝑒 𝑑
12 ZKP MOOC
Zero Knowledge Proofs for NP
𝑎 𝑏 𝑎 𝑏
𝑓 𝑐
𝑓 𝑐
𝑒 𝑑
𝑃 𝑒 𝑑 𝑉
1) Randomize colors
0 1 2
13 ZKP MOOC
Zero Knowledge Proofs for NP
𝑎 𝑏 𝑎 𝑏
𝑓 𝑐
𝑓 𝑐
𝑒 𝑑
𝑃 𝑒 𝑑 𝑉
1) Randomize colors
0 1 2
2) Commit
14 ZKP MOOC
Zero Knowledge Proofs for NP
𝑎 𝑏 𝑎 𝑏
𝑓 𝑐
𝑓 𝑐
𝑒 𝑑
𝑃 𝑒 𝑑 𝑉
1) Randomize colors
0 1 2
2) Commit
(𝑑, 𝑓) 1) Sample a challenge edge.
15 ZKP MOOC
Zero Knowledge Proofs for NP
𝑎 𝑏 𝑎 𝑏
𝑓 𝑐
𝑓 𝑐
𝑒 𝑑
𝑃 𝑒 𝑑 𝑉
0 1 2
2) Commit
(𝑑, 𝑓) 1) Sample a challenge edge.
1 2
3) Reveal edge colors 2) Accept if colors are different.
16 ZKP MOOC
Zero Knowledge Proofs for NP
𝑎 𝑏
𝑉∗
challenge in advance, and rewind
𝑒 𝑑
if the guess was wrong.
1) Guess (𝑥, 𝑦)
2) Pick two random bits
3) Commit If 𝑥, 𝑦 ≠ (𝑥 ′ , 𝑦 ′ )
𝑥 ′, 𝑦 ′
1 2
17 ZKP MOOC
Zero Knowledge Proofs for NP
𝑃 𝑉
18 ZKP MOOC
Zero Knowledge Proofs for NP
𝑃 𝑉
19 ZKP MOOC
Interactive Zero-Knowledge Protocols
▪ No trusted setup allowed.
▪ Security against Malicious verifier hard to guarantee.
▪ Many lines of research devoted to understanding the
feasibility of interactive ZK.
▪ How many communication rounds? [BKP18] suggests that
you can do it in 3.
▪ How efficient can you make the prover? [IKOS07, …]
▪ Stronger forms of security: quantum attacks, concurrency
20 ZKP MOOC
Interactive Zero-Knowledge Protocols
▪ No trusted setup allowed.
▪ Security against Malicious verifier hard to guarantee.
▪ Many lines of research devoted to understanding the
feasibility of interactive ZK.
▪ How many communication rounds? [BKP18] suggests that
you can do it in 3.
▪ How efficient can you make the prover? [IKOS07, …]
▪ Stronger forms of security: quantum attacks, concurrency
21 ZKP MOOC
Main Topics:
Fiat-Shamir and SNARGs
22 ZKP MOOC
Credit: Faithie/Shutterstock
Succinct Non-Interactive Arguments (SNARGs)
𝑥, crs
𝜋
𝑃(𝑤) 𝑉
23 ZKP MOOC
Succinct Non-Interactive Arguments (SNARGs)
𝑥, crs
𝜋
𝑃(𝑤) 𝑉
This class so far: constructions of SNARGs using IOPs and a random oracle.
24 ZKP MOOC
The Fiat-Shamir Transform
Powerful, general proposal for removing interaction.
Interactive Non-Interactive
Hash Function ℎ
𝑷 𝛼 𝑽 𝑷 𝑽
𝛽 𝛼, 𝛽, 𝛾
Compute
𝛾
𝛽 = ℎ(𝛼)
If ℎ is modeled as a random oracle, securely compiles any constant-round public coin protocol.
25 ZKP MOOC
The Fiat-Shamir Transform
If ℎ is modeled as a random oracle, securely compiles any constant-round public coin protocol.
26 ZKP MOOC
The Random Oracle Model [BR93]
Assumption about the structure of an attack on a hash function ℎ:
ℎ(⋅)
𝑷∗ 𝜋 𝑽
27 ZKP MOOC
Fiat-Shamir in the ROM
Claim: Fiat-Shamir for constant-round protocols is secure in the ROM
Proof (3 message case):
ℎ(⋅)
𝑷∗ 𝛼, 𝛽, 𝛾 𝑽
28 ZKP MOOC
Fiat-Shamir in the ROM
Claim: Fiat-Shamir for constant-round protocols is secure in the ROM
Proof (3 message case):
𝑄 − 1 queries
ℎ(⋅) ℎ(⋅)
𝑷∗ 𝛼, 𝛽, 𝛾 𝑽 𝑷∗ 𝛼 (ith query) 𝑽
Sample 𝑖 ← [𝑄] 𝛽
(number of queries) 𝛾
𝛼 must come from one
of the oracle queries
29 ZKP MOOC
Fiat-Shamir in the ROM
Claim: Fiat-Shamir for constant-round protocols is secure in the ROM
Proof (3 message case):
𝑄 − 1 queries
ℎ(⋅) ℎ(⋅)
𝑷∗ 𝛼, 𝛽, 𝛾 𝑽 𝑷∗ 𝛼 (ith query) 𝑽
Sample 𝑖 ← [𝑄] 𝛽
(number of queries) 𝛾
𝛼 must come from one
of the oracle queries
1/𝑄 security loss
30 ZKP MOOC
The Random Oracle Model [BR93]
Assumption about the structure of an attack on a hash function ℎ:
ℎ(⋅)
𝑷∗ 𝜋 𝑽
31 ZKP MOOC
The Random Oracle Model [BR93]
Assumption about the structure of an attack on a hash function ℎ:
ℎ(⋅)
𝑷∗ 𝜋 𝑽
32 ZKP MOOC
The Random Oracle Model [BR93]
Assumption about the structure of an attack on a hash function ℎ:
ℎ(⋅)
𝑷∗ 𝜋 𝑽
33 ZKP MOOC
Obvious (theoretical) problem:
34 ZKP MOOC
Credit: Faithie/Shutterstock
Next: example of an uninstantiable
random oracle property [CGH98]
35 ZKP MOOC
Credit: Faithie/Shutterstock
Random Oracles Do Not Exist
Fix a function 𝑓: {0,1}∗ → {0,1}𝜆
We say that a hash function ℎ is Correlation Intractable (CI)
for 𝑓 if it is hard to find 𝑥 such that ℎ 𝑥 = 𝑓 𝑥
∀ PPT 𝐴,
Pr ℎ 𝑥 = 𝑓(𝑥) = negl
ℎ←𝐻
𝑥←𝐴(ℎ)
36 ZKP MOOC
Random Oracles Do Not Exist
For any fixed 𝑓, a RO is CI for 𝑓.
37 ZKP MOOC
Random Oracles Do Not Exist
Claim [CGH98]: ∃𝑓 such that for any (efficient) hash
family 𝐻, 𝐻 fails to be CI for 𝑓!
38 ZKP MOOC
Random Oracles Do Not Exist
Claim [CGH98]: ∃𝑓 such that for any (efficient) hash
family 𝐻, 𝐻 fails to be CI for 𝑓!
𝑓 𝑥 : interpret 𝑥 as a program 𝑃 and output 𝑃 𝑥 .
39 ZKP MOOC
Random Oracles Do Not Exist
Claim [CGH98]: ∃𝑓 such that for any (efficient) hash
family 𝐻, 𝐻 fails to be CI for 𝑓!
𝑓 𝑥 : interpret 𝑥 as a program 𝑃 and output 𝑃 𝑥 .
Given ℎ ← 𝐻, attack sets 𝑥 = ⟨ℎ⟩ to be a description of ℎ. Then,
𝑓 𝑥 =𝑃 𝑥 =𝑃 ℎ =ℎ ℎ =ℎ 𝑥 .
40 ZKP MOOC
Random Oracles Do Not Exist
Is this a reasonable counterexample?
▪ Hash function/random oracle must be able to hash inputs
of arbitrary length. CI with bounded inputs might exist!
41 ZKP MOOC
Random Oracles Do Not Exist
Is this a reasonable counterexample?
▪ Hash function/random oracle must be able to hash inputs
of arbitrary length. CI with bounded inputs might exist!
▪ [Barak01,GK03] apply to fixed-input length hash functions.
42 ZKP MOOC
Random Oracles Do Not Exist
Is this a reasonable counterexample?
▪ Hash function/random oracle must be able to hash inputs
of arbitrary length. CI with bounded inputs might exist!
▪ [Barak01,GK03] apply to fixed-input length hash functions.
Theorem [Barak ‘01, Goldwasser-Kalai ‘03]: ∃ interactive
protocol Π such that ΠFS is ROM-secure but insecure for
any efficiently computable H (e.g. SHA-3).
43 ZKP MOOC
Random Oracles Do Not Exist
Is this a reasonable counterexample?
▪ Hash function/random oracle must be able to hash inputs
of arbitrary length. CI with bounded inputs might exist!
▪ [Barak01,GK03] apply to fixed-input length hash functions.
▪ Security property broken by running the hash function on
its own description. Is this practically relevant?
44 ZKP MOOC
Random Oracles Do Not Exist
Is this a reasonable counterexample?
▪ Hash function/random oracle must be able to hash inputs
of arbitrary length. CI with bounded inputs might exist!
▪ [Barak01,GK03] apply to fixed-input length hash functions.
▪ Security property broken by running the hash function on
its own description. Is this practically relevant?
▪ Recursive SNARKs do something of this flavor.
45 ZKP MOOC
Random Oracles Do Not Exist
Is this a reasonable counterexample?
▪ Hash function/random oracle must be able to hash inputs
of arbitrary length. CI with bounded inputs might exist!
▪ [Barak01,GK03] apply to fixed-input length hash functions.
▪ Does NOT imply RO-based SNARKs are broken in practice.
▪ But it does imply a lack of theoretical understanding.
46 ZKP MOOC
What can we do without
random oracles?
47 ZKP MOOC
Credit: Faithie/Shutterstock
Falsifiable Assumptions
Prove security assuming that some concrete algorithmic task is
infeasible:
48 ZKP MOOC
Falsifiable Assumptions
Many cryptographic constructions use random oracles to get
better efficiency, but can be based on falsifiable assumptions.
49 ZKP MOOC
Falsifiable Assumptions
Can (ZK-)SNARKs for NP be built based on falsifiable assumptions?
▪ (minor caveats but) No!
▪ No way to extract a long witness from a short proof. Need
assumption (RO, “knowledge assumption”) that guarantees
adversary “knows” a long string given a short commitment.
50 ZKP MOOC
Falsifiable Assumptions
Can (ZK-)SNARGs for NP be built based on falsifiable assumptions?
51 ZKP MOOC
Rest of today: SNARGs for
limited computations from
falsifiable assumptions (LWE)
52 ZKP MOOC
Credit: Faithie/Shutterstock
Two tools/techniques
▪ Correlation-intractable hash functions [CCHLRRW19,PS19,HLR21]
▪ Used to instantiate Fiat-Shamir without random oracles, for
“nice enough” interactive protocols.
53 ZKP MOOC
Correlation Intractability
A hash family 𝐻 is CI for 𝑓 if ∀ PPT 𝐴,
Pr ℎ 𝑥 = 𝑓(𝑥) = negl
ℎ←𝐻
𝑥←𝐴(ℎ)
54 ZKP MOOC
Correlation Intractability
A hash family 𝐻 is CI for binary relation 𝑅 if ∀ PPT 𝐴,
Pr 𝑥, ℎ 𝑥 ∈ 𝑅 = negl
ℎ←𝐻
𝑥←𝐴(ℎ)
55 ZKP MOOC
Correlation Intractability
A hash family 𝐻 is CI for 𝑓 if ∀ PPT 𝐴,
Pr ℎ 𝑥 = 𝑓(𝑥) = negl
ℎ←𝐻
𝑥←𝐴(ℎ)
56 ZKP MOOC
CI Construction
Here’s a simple construction [CLW18] using Fully
Homomorphic Encryption (FHE)
pk pk, 𝑓 sk
𝑥 𝑥 𝑓(𝑥) 𝑓(𝑥)
57 ZKP MOOC
CI Construction
ℎ = (pk, Enc 𝑔 )
Real hash key: 𝑔 ≡ 0 (or a uniform random string – nobody can tell)
58 ZKP MOOC
Security Analysis
Suppose an attacker, given ⟨ℎ⟩, finds 𝑥 such that ℎ 𝑥 = 𝑓(𝑥).
Key idea: let 𝑔∗ 𝑥 = Dec 𝑓 𝑥 + 1. We know that Enc 𝑔) ≈ Enc(𝑔∗ if
the encryption scheme is (circular-)secure.
59 ZKP MOOC
Correlation Intractability: what we know
𝐻 is CI for 𝑅 if ∀ PPT 𝐴, Pr
ℎ←𝐻
𝑥, ℎ 𝑥 ∈ 𝑅 = negl
𝑥←𝐴(ℎ)
60 ZKP MOOC
How do we use CI to instantiate
Fiat-Shamir?
61 ZKP MOOC
Credit: Faithie/Shutterstock
Avoid the “Bad Challenges”
Hash Function ℎ
𝑷 𝛼 𝑽 𝑷 𝑽
𝛽 Compute 𝛼, 𝛽, 𝛾
𝛾 𝛽 = ℎ(𝛼)
62 ZKP MOOC
Avoid the “Bad Challenges”
Hash Function ℎ
𝑷 𝛼 𝑽 𝑷 𝑽
𝛽 Compute 𝛼, 𝛽, 𝛾
𝛾 𝛽 = ℎ(𝛼)
63 ZKP MOOC
Avoid the “Bad Challenges”
Hash Function ℎ
𝑷 𝛼 𝑽 𝑷 𝑽
𝛽 Compute 𝛼, 𝛽, 𝛾
𝛾 𝛽 = ℎ(𝛼)
Main challenges:
1) Sometimes our IP doesn’t have statistical soundness.
2) We can only build CI for relations 𝑅 that can be decided efficiently.
64 ZKP MOOC
Important example:
SNARGs via IOPs (PCPs)
65 ZKP MOOC
Credit: Faithie/Shutterstock
SNARGs from PCPs [Kilian, Micali]
𝑃(𝑥, 𝑤) 𝑉(𝑥)
Compute (long) proof Com(𝜋)
string 𝜋 from (𝑥, 𝑤)
𝑟 (describes location set 𝑆) 𝑟 ← {0,1}𝜆
Open 𝜋𝑆 Verify opening, check
consistency of 𝜋𝑆
66 ZKP MOOC
SNARGs from PCPs [Kilian, Micali]
𝑃(𝑥, 𝑤) 𝑉(𝑥)
Compute (long) proof Com(𝜋)
string 𝜋 from (𝑥, 𝑤)
𝑟 (describes location set 𝑆) 𝑟 ← {0,1}𝜆
Open 𝜋𝑆 Verify opening, check
consistency of 𝜋𝑆
67 ZKP MOOC
SNARGs for Batch NP
𝑃 𝑥1 , … , 𝑥𝑘 , 𝑤1 , … , 𝑤𝑘 𝑉(𝑥1 , … , 𝑥𝑘 )
𝜋
68 ZKP MOOC
Interactive Batch Arguments from PCPs [CJJ21]
𝑃 𝑥1 , … , 𝑥𝑘 , 𝑤1 , … , 𝑤𝑘 𝑉(𝑥1 , … , 𝑥𝑘 )
Com(𝜋1 , … , 𝜋𝑘 )
𝑟 (describes location set 𝑆) 𝑟 ← {0,1}𝜆
Open 𝜋1,𝑆 , … 𝜋𝑘,𝑆 Verify opening, check
consistency of 𝜋𝑆
69 ZKP MOOC
Interactive Batch Arguments from PCPs [CJJ21]
𝑃 𝑥1 , … , 𝑥𝑘 , 𝑤1 , … , 𝑤𝑘 𝑉(𝑥1 , … , 𝑥𝑘 )
Com(𝜋1 , … , 𝜋𝑘 )
𝑟 (describes location set 𝑆) 𝑟 ← {0,1}𝜆
Open 𝜋1,𝑆 , … 𝜋𝑘,𝑆 Verify opening, check
consistency of 𝜋𝑆
70 ZKP MOOC
SSB Commitments
k1=H(h1, h2)
M Y V E C T O R
71 ZKP MOOC
SSB Commitments
𝐻 = 𝐻3 (binding k1=H(h1, h2) (secretly
on 3rd location) encodes V)
M Y V E C T O R
72 ZKP MOOC
SSB Commitments
𝐻 = 𝐻3 (binding k1=H(h1, h2) (secretly
on 3rd location) encodes V)
M Y V E C T O R
73 ZKP MOOC
Interactive Batch Arguments from PCPs [CJJ21]
𝑃 𝑥1 , … , 𝑥𝑘 , 𝑤1 , … , 𝑤𝑘 𝑉(𝑥1 , … , 𝑥𝑘 )
Com(𝜋1 , … , 𝜋𝑘 )
𝑟 (describes location set 𝑆) 𝑟 ← {0,1}𝜆
Open 𝜋1,𝑆 , … 𝜋𝑘,𝑆 Verify opening, check
consistency of 𝜋𝑆
74 ZKP MOOC
Interactive Batch Arguments from PCPs [CJJ21]
𝑃 𝑥1 , … , 𝑥𝑘 , 𝑤1 , … , 𝑤𝑘 𝑉(𝑥1 , … , 𝑥𝑘 )
Com(𝜋1 , … , 𝜋𝑘 )
𝑟 (describes location set 𝑆) 𝑟 ← {0,1}𝜆
Open 𝜋1,𝑆 , … 𝜋𝑘,𝑆 Verify opening, check
consistency of 𝜋𝑆
75 ZKP MOOC
Batch Arguments from PCPs [CJJ21]
𝑃 𝑥1 , … , 𝑥𝑘 , 𝑤1 , … , 𝑤𝑘 𝑉(𝑥1 , … , 𝑥𝑘 )
Com(𝜋1 , … , 𝜋𝑘 )
𝑟 (describes location set 𝑆) 𝑟 ← {0,1}𝜆
Open 𝜋1,𝑆 , … 𝜋𝑘,𝑆 Verify opening, check
consistency of 𝜋𝑆
With some work, can use CI hash functions to compile this protocol.
Succinctness: 𝑤 ⋅ 𝜆 + 𝑘 ⋅ 𝜆, but can be reduced to 𝑤 ⋅ 𝜆 by recursing.
76 ZKP MOOC
Summary of Fiat-Shamir without RO
▪ Use hash functions that are CI for appropriate
functions/relations
▪ [CCHLRRW19,PS19,BKM20,JJ21,HLR21]
▪ Carefully show that FS-soundness for protocols of
interest follows from compatible forms of CI
▪ [CCHLRRW19]: (non-succinct) NIZK
▪ [JKKZ21]: non-interactive sumcheck protocol
▪ [CJJ21]: batch NP arguments
77 ZKP MOOC
Summary of Fiat-Shamir without RO
Open problems:
78 ZKP MOOC
END OF LECTURE
79 ZKP MOOC
Credit: Faithie/Shutterstock