SPB Crypto Devs Meetup

Sigma Protocols and Efficient Zero-Knowledge Proofs

Alexander ChepurnoyIOHK Research

Motivating Example

Alice publishes a commitment of a secret

Alice passes a secret to Bob

Bob wants to convince Carol he knows a secret

Motivating Example

Anonymous voting

Every vote is whether 0 or 1 encrypted

To calculate a sum, additively homomorphic encryption could be used

But how to be sure only 0 or 1 is encrypted?

Solution: a proof for each vote it is whether 0 or 1(without revealing a value!)

ZKPoKs: What For

Identification schemes

Signatures

Building block in many protocols(voting, anonymous transactions etc)

ZKPoK

Zero-Knowledge Proof of Knowledge

Prover P, Verifier V, relation R

Common input x

P proves it knows a witness w for which (x,w)R

Without revealing anything about it

In practice, often inefficient and so avoided

Properties

Completeness: a correct statement could be proven

Soundness: it's not possible to prove incorrect statements(with a non-negligible probability)

-protocol, Generically

P sends V a message a

V sends P a random t-bit string e

P sends a reply z, and V decides to accept or reject based solely on the data it has seen; i.e., based only on the values (x, a, e, z).

Theory Behind

Ivan Damgard On Sigma Protocols

Yehuda Lindell, Carmit Hazay Efficient Secure Two-Party Protocols: Techniques and Constructions (Book)

Yehuda Lindell Sigma Protocols and Zero Knowledge http://www.youtube.com/watch?v=nwsmG3S9wIc

Implementation

ScAPI(Java/JVM) - The Secure Computation API https://github.com/cryptobiu/scapi

Protocols pseudocode http://cryptobiu.github.io/scapi/SDK_Pseudocode.pdf

Example: Schnorrs protocol

-protocol for DLOG

h = gw

(p, q ,g, h) is common input

First msg(P): a = gr

Second msg(V): challenge c = random({0, 1}, t)

Third message(P): z = r + ew mod q

V checks if gz = a * he

Completeness: gz = g(r+ew) = gr * (gw)e = a * he

Schnorrs protocol

Very efficient: just 3 exponentiations

Proof-of-Knowledge protocol

Not provably Zero-Knowledge

but Honest Verifier Zero-Knowledge

error 2-t

Proof of Membership

(x;w) L

x is set

Example: Diffie-Hellman tuple

Common input: (G,q,g,h,u,v,t)

P knows w such as u = gw, v = hw

P sends out a = gr, b = hr

V sends out a challenge c = random({0, 1}, t)

P sends out z = r + ew mod q

V checks if gz = a*ue, hz = b * ve

Run Properties

Parallel execution: l parallel runs with challenge of size t is equivalent to run protocols with challenge of size l*t

Challenge could be of arbitrary size

Compound Statements

AND

OR

AND Statement

Just run two protocols in parallel for (a1, a2) and the same e

OR Statement

Prove one of two statements is true without revealing which

Based on simulation for a statement witness isn't known for

Compound Statements

OR of many statements (k out of n) is possible

Any monotone formula, so any combination of ANDs and ORs without a negation, is possible

Commitment Scheme

Commit phase

Reveal phase

hash (secret ++ blinding factor)

Pedersen commitment: c = gx * hr

Zero Knowledge From -protocol

Verifier needs to commit a challenge in prior to a fist message from a Prover

With the commitment being added, a -protocol becomes provably Zero-Knowledge (details in the book of Lindell / Hazay)

Zero Knowledge From -protocol

-protocol

V chooses a random t-bit challenge e and interacts with P via the commitment protocol in order to commit to e

P computes the first message a in , using (x, w) as input, and sends it to V

V reveals e to P by decommitting

P verifies the decommitment, computes the answer z in , and sends z to V

V accepts if and only if transcript (a, e, z) is accepting in on input x

Commitment From -protocol

Verifier = receiver

Prover = sender

Set-up: V generates (x; w), sends x to P

Commit: to commit to a t-bit string e. P runs simulator on (x, e) to get (a, e, z) and sends a to V

Open: to reveal the commitment, P sends (e, z) to V, V checks (a, e, z)

Non-Interactive -protocol

No interaction, no Verifier

w. public Random Oracle

e = R(a)

not provably secure

Signature From -protocol

(x; w)

public key x

private key w

message m

e = R(a++m)

(a, z) is a signature

as hard to break as to compute w from x (in ROM)

Conclusion

One template for many protocols

Highly efficient

Composable

Provably secure

Makes things easier

Crypto is HARD anyway...

Questions?

Twitter: @chepurnoyMail: kushti@protonmail.ch