Verifiable delegated computation zk-SNARKs and...
Transcript of Verifiable delegated computation zk-SNARKs and...
![Page 1: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/1.jpg)
Verifiable delegated computation:zk-SNARKs and Applications
Anca NitulescuCRYPTO team
![Page 2: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/2.jpg)
Outline
2
Definition
Properties
Quantum resistance
Tool Chain
Encodings
Assumptions
Security
Post-quantum SNARK
DifficultiesComparison
Open Problems
Conclusions
Directions
Construction
Cloud Computing
Blockchain Privacy
Motivation
SNARKs
![Page 3: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/3.jpg)
Motivation
3
Directions
Construction
Cloud Computing
Blockchain Privacy
Motivation
SNARKs
![Page 4: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/4.jpg)
Cloud: Available for Everything
4
Storedocuments,
photos, videos, etc
Ask queries on the data
Share them with colleagues, friends, family
Processthe data
![Page 5: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/5.jpg)
Outsourced Processing
5
The Cloud Provider:
● knows the content● performs the computations
Claims to
● safely store the data● securely process the data● answer correctly to our queries● protect privacy
![Page 6: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/6.jpg)
Risks
6
For economical reasons, by accident, or attacks● data can get deleted● results of computation can be modified● one can use your private data to analyze and sell/negotiate
the information
![Page 7: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/7.jpg)
Cryptography in the Cloud
Enc Dec proof
Privacy
Authenticity
Integrity
f(x)
pk sk
Sign
![Page 8: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/8.jpg)
Cryptography
8
Much of the cryptography used todayoffers security properties for data and
communication.
Aspects in information security:
● data confidentiality
● authentication
● data integrity
What about computations?
![Page 9: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/9.jpg)
9
Delegated Computation
WorkerClient
![Page 10: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/10.jpg)
10
Compute f(x)
WorkerClient
Delegated Computation
![Page 11: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/11.jpg)
11
Client Worker
“I have the
result y=f(x)”
Delegated Computation
![Page 12: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/12.jpg)
12
Corrupted Worker
y* ≠ f(x)
Client
Unreliable Worker
![Page 13: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/13.jpg)
13
Client Verifier
WorkerProver
Ask for a proof
Proof π
y* ≠ f(x)
Verify π
π
![Page 14: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/14.jpg)
Integrity for Computation
14
SNAR
K!
![Page 15: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/15.jpg)
White
SNARK: Properties of a Proof
15
SuccinctProof of Knowledge
Fast Verification
![Page 16: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/16.jpg)
SNARKs
16
Definition
Properties
Quantum resistance
Motivation
SNARKs
Construction
Directions
![Page 17: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/17.jpg)
17
Algorithms
Proof Systems
![Page 18: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/18.jpg)
Proofs in Crypto: since 1980s
18
Zero-Knowledge does not leak anything
about the witness
Efficiency verification faster than computing f(x)
Correctnessany correct evaluation
f(x) has a valid proof
Proofs
![Page 19: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/19.jpg)
Proofs in Private Blockchain
I know xs.t.
y=f(x) π
Key Properties for usage in Distributed Protocols
● zero knowledge● proof of knowledge● non-interactivity● publicly verifiable● succinctness
![Page 20: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/20.jpg)
Argumentof Knowledge
SNARK: Succinct Non-Interactive ARgument of Knowledge
20
Non-Interactivity no exchange between prover and verifier
Zero-Knowledge does not leak anything
about the witness
Succinctness proof size independent of NP witness size
Efficiency verification faster than computing f(x)
Correctnessany correct evaluation
f(x) has a valid proof
SNARK
![Page 21: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/21.jpg)
Argument of Knowledge
21
crs, auxAdversary
SNARK
![Page 22: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/22.jpg)
Argument of Knowledge
22
extractorcrs, aux
crs, aux
Adversary
SNARK
![Page 23: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/23.jpg)
Efficient Constructions: Pinocchio, Geppetto
23
Pinocchio: Nearly Practical Verifiable Computation
Bryan Parno, Jon Howell, Craig Gentry, Mariana Raykova
Geppetto: Versatile Verifiable Computation
Craig Costello, Cédric Fournet,Jon Howell, Markulf Kohlweiss,Benjamin Kreuter, Michael Naehrig,Bryan Parno, Samee Zahur
![Page 24: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/24.jpg)
Quantum Attacks
24
Existent SNARKs:
● zero-knowledge● publicly-verifiable (only crs)● based on DLog in EC groups● not quantum resistant
![Page 25: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/25.jpg)
Quantum Attacks
25
Existent SNARKs:
● zero-knowledge● publicly-verifiable (only crs)● based on DLog in EC groups● not quantum resistant
Post-Quantum SNARKs:
● based on lattice assumptions● designated-verifiable (vk)● zero-knowledge
![Page 26: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/26.jpg)
Construction
26
Definition
Construction Steps
Tool Chain
Encodings
Assumptions
Security
Construction
SNARKs
SNARKs
Motivation
Directions
![Page 27: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/27.jpg)
SNARK: Overview of Toolchain
27
Circuitfor f(x)
![Page 28: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/28.jpg)
Circuit Satisfiability Problem
28
Circuitfor f(x)
f(x1 ,x2)=y
x1 x2 y
0/1
C(x1 ,x2,y)
![Page 29: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/29.jpg)
SNARK: Overview of Toolchain
29
Circuitfor f(x)
SSPFind h(x)t(x)h(x)=p(x)
Square Span
Program
![Page 30: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/30.jpg)
Step 1. Linearization of logic gates
30
SSPFind h(x)t(x)h(x)=p(x)
SquareSpan
Program a b c a b c a b c
0 0 0 0 0 0 0 0 0
0 1 1 0 1 0 0 1 1
1 0 1 1 0 0 1 0 1
1 1 1 1 1 1 1 1 0
– a – b + 2c ∈ {0,1} a + b – 2c ∈ {0,1} a + b + c ∈ {0,2}
a b
c
a b
c
a b
c
OR gate AND gate XOR gate
[DFGK14]
![Page 31: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/31.jpg)
Step 2. Matrix equation for circuit
31
V
a δ+
。 = – δ+ 2 0
V + ∈ {0,2}d a
V
a
δ
OR gate AND gate XOR gate Output gate = 1 Entries = bits– a – b + 2c ∈ {0,1} a + b – 2c ∈ {0,1} a + b + c ∈ {0,2} 3 – 3c ∈ {0,1} 2a, 2b ∈ {0,2}
αa + βb +γc + δ ∈ {0,2}
SSPFind h(x)t(x)h(x)=p(x)
SquareSpan
Program
![Page 32: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/32.jpg)
Step 2. Matrix equation for circuit
32
OR gate AND gate XOR gate Output gate = 1 Entries = bits– a – b + 2c ∈ {0,1} a + b – 2c ∈ {0,1} a + b + c ∈ {0,2} 3 – 3c ∈ {0,1} 2a, 2b ∈ {0,2}
αa + βb +γc + δ ∈ {0,2}
。 = 1– 1δV
a + – 1δV
a +
SSPFind h(x)t(x)h(x)=p(x)
SquareSpan
Program V
a δ+
。 = – δ+ 2 0V
a
![Page 33: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/33.jpg)
33
。 = 1V
a + δ –
1
V
a +δ –
1
Step 3. Polynomial Interpolation
SSPFind h(x)t(x)h(x)=p(x)
SquareSpan
Program
![Page 34: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/34.jpg)
Step 4. Polynomial Problem SSP
34
SSPFind h(x)t(x)h(x)=p(x)
SquareSpan
Program
![Page 35: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/35.jpg)
Step 4. Polynomial Problem SSP
35
SSP
SSPFind h(x)t(x)h(x)=p(x)
SquareSpan
Program
![Page 36: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/36.jpg)
Step 4. Polynomial Problem SSP
36
SSP
SSPFind h(x)t(x)h(x)=p(x)
SquareSpan
Program
![Page 37: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/37.jpg)
SNARK: Overview of Toolchain
37
Circuitfor f(x)
Proof:Evaluate in a point
V(s), h(s)t(s) | V(s)
SSPFind h(x)t(x)h(x)=p(x)
Square Span
Program
![Page 38: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/38.jpg)
Proving on top of SSP: Idea
38
Evaluate in a point
V(s), h(s)
Prover: Evaluate the solution in a random unknown point s
Preprocessing: Publish all necessary powers of s(hidden from the Prover)
SSP
v1(x),v2(x)...vm(x)
t(x)
![Page 39: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/39.jpg)
39
SSP
v1(x),v2(x)...vm(x)
t(x)
Enc(s) Enc(s2) Enc(sd)
Proving on top of SSP: Idea
Evaluate in a point
V(s), h(s)
![Page 40: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/40.jpg)
40
SSP
v1(x),v2(x)...vm(x)
t(x)
Enc(s) Enc(s2) Enc(sd) Enc(h(s))
Proving on top of SSP: Idea
Evaluate in a point
V(s), h(s)
Enc(h(s))= Enc(Σ his
i)
![Page 41: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/41.jpg)
41
SSP
v1(x),v2(x)...vm(x)
t(x)
Enc(s) Enc(s2) Enc(sd)
Encoding:● linearly homomorphic
Enc(Σ hjsj) = Σj hj Enc(sj)
Proving on top of SSP: Idea
Evaluate in a point
V(s), h(s)Enc(h(s))
![Page 42: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/42.jpg)
42
SSP
v1(x),v2(x)...vm(x)
t(x)
Enc(s2) Enc(sd)
πProof = ,Enc(V(s)) Enc(h(s))
Proving on top of SSP: Idea
Evaluate in a point
V(s), h(s)Enc(s)
![Page 43: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/43.jpg)
SSP
v1(x),v2(x)...vm(x)
t(x)
Enc(s2) Enc(sd) Enc(βvi(s))Enc(β)
i =0,m
πProof = , ,Enc(V(s)) Enc(h(s)) Enc(βV(s))
Not an argument of Knowledge!
Evaluate in a point
V(s), h(s)Enc(s)
![Page 44: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/44.jpg)
44
d-PKE
Enc(αs) Enc(αs2) Enc(αsd)
Enc(s) Enc(s2) Enc(sd)
Enc(P) Enc(αP)
Assumption PKE: Power Knowledge of Exponent
![Page 45: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/45.jpg)
Assumption PKE: Power Knowledge of Exponent
45
d-PKE
= Enc(Σ pisi)
Enc(P)p1 p2 pd
Enc(αs) Enc(αs2) Enc(αsd)
Enc(s2) Enc(sd)
Enc(P) Enc(αP)
Enc(s)
![Page 46: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/46.jpg)
46
SSP: t(x)v1(x),v2(x)...vm(x)
Enc(αs) Enc(αs2) Enc(αsd)
Enc(s2) Enc(sd)
Enc(βvi(s))Enc(β)
i =1,m
π =
Enc(V(s)) Enc(h(s))
Enc(βV(s))
Enc(αV(s)) Enc(αh(s))
Setup and Proof
Evaluate in a point
V(s), h(s)
Enc(s)
![Page 47: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/47.jpg)
SNARK: Overview of Toolchain
47
Circuitfor f(x)
Proof:Evaluate in a point
VerifyVerifythe proof
t(s)h(s)=p(s)p(s)= V(s)2 -1
?
h(s)V(s)
SSPFind h(x)t(x)h(x)=p(x)
Square Span
Program
V(s), h(s)t(s) | V(s)
![Page 48: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/48.jpg)
Proving on top of SSP: Verifier
48
π
Verifier
=
VerifyVerifythe proof
t(s)h(s)=p(s)?
h(s)V(s)
W HB
Ŵ Ĥ
![Page 49: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/49.jpg)
Proving on top of SSP: Verifier
49
H –1
Enc(t(s)) W 2
Verifier
π =
W HB
Ŵ Ĥ
VerifyVerifythe proof
t(s)h(s)=p(s)?
h(s)V(s)
![Page 50: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/50.jpg)
Proving on top of SSP: Verifier
50
Encoding:
● linearly homomorphic● quadratic root detection● image verification
H –1
Enc(t(s)) W 2
Verifier
vk
VerifyVerifythe proof
t(s)h(s)=p(s)?
h(s)V(s)
![Page 51: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/51.jpg)
Formal Construction and Security
51
Protocol SecurityAssumptions
Algorithms
?
![Page 52: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/52.jpg)
Setup Algorithm
52
SSP: t(x)v1(x),v2(x)...vm(x)
Enc(αs) Enc(αs2) Enc(αsd)
Enc(s) Enc(s2) Enc(sd)
Enc(βvi(s))
i =1,m
crs
![Page 53: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/53.jpg)
Prover Algorithm
53
SSP
crs
π
Proof
=
Enc(V(s)) Enc(h(s))
Enc(βV(s))
Enc(αV(s)) Enc(αh(s))
W H
B
Ŵ Ĥ
![Page 54: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/54.jpg)
Prover Algorithm
54
SSP
crs
π
Proof
=
Enc(V(s)) Enc(h(s))
Enc(βV(s))
Enc(αV(s)) Enc(αh(s))
W H
B
Ŵ Ĥ
![Page 55: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/55.jpg)
Prover Algorithm
55
SSP
crs
π
Proof
=
Enc(V(s)) Enc(h(s))
Enc(βV(s))
Enc(αV(s)) Enc(αh(s))
W H
B
Ŵ Ĥ
![Page 56: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/56.jpg)
Verifier Algorithm
56
Verify
BŴ
Ĥ
W
H
W
α
αβ
H – 1
Enc(t(s)) W W
![Page 57: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/57.jpg)
Security Reduction
SSP
crs
B ĤŴ
W Hπ =
α
αβ
t(s)
HĤ
Ŵ WB W
H W W – 1
![Page 58: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/58.jpg)
Cheating Strategy
CheatingProver
(crs) πH
B
Ŵ Ĥ =
W
![Page 59: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/59.jpg)
π =
CheatingProver
(crs)
W HB
Ŵ Ĥ
Cheating Strategy
![Page 60: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/60.jpg)
π
V1 V2 Vd
h1 h2 hd
CheatingProver
(crs) =
W HB
Ŵ Ĥ
Cheating Strategy
![Page 61: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/61.jpg)
π
V1 V2 Vd
h1 h2 hd
CheatingProver
(crs)
V(x)
h(x)
=
W HB
Ŵ Ĥ
Cheating Strategy
![Page 62: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/62.jpg)
πCheatingProver
(crs)
V(x) h(x)
HB
Ŵ Ĥ =
W
Cheating Strategy
![Page 63: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/63.jpg)
Division does not hold
πCheatingProver
(crs)
V(x) h(x)
– 1H W2Enc(t(s))
HB
Ŵ Ĥ =
W
![Page 64: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/64.jpg)
Invalid linear combination
πCheatingProver
(crs)
V(x) h(x)
Bβ
W
HB
Ŵ Ĥ =
W
![Page 65: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/65.jpg)
Prover unable to compute higher degree polynomials
πCheatingProver
(crs)
V(x) h(x)
HB
Ŵ Ĥ =
W
![Page 66: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/66.jpg)
Assumption PDH: Power Diffie-Hellman
66
d-PDH
Enc(s) Enc(s2) Enc(sd) Enc(s2d) Enc(sd+2)
![Page 67: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/67.jpg)
67
d-PDH
Enc(s2) Enc(sd) Enc(s2d) Enc(sd+2)
Enc(sd+1)
Assumption PDH: Power Diffie-Hellman
Enc(s)
![Page 68: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/68.jpg)
68
d-PDH
Enc(s) Enc(s2) Enc(sd)
Enc(s2d)
Security Reduction: Cheating Prover to d-PDH
? Enc(sd+2)
![Page 69: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/69.jpg)
69
d-PDH
Enc(s) Enc(s2) Enc(sd)
Enc(s2d)
Security Reduction: Cheating Prover to d-PDH
?
CheatingProver
Enc(sd+2)
![Page 70: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/70.jpg)
70
d-PDH
Enc(s) Enc(s2) Enc(sd)
Enc(s2d)
Security Reduction: Cheating Prover to d-PDH
?
CheatingProver
crs
Enc(sd+2)
![Page 71: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/71.jpg)
71
d-PDH
Enc(s) Enc(s2) Enc(sd)
Enc(s2d)
Security Reduction: Cheating Prover to d-PDH
?
CheatingProver
crss s2 sd
Enc(sd+2)
![Page 72: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/72.jpg)
72
d-PDH
Enc(s) Enc(s2) Enc(sd)
Enc(s2d)
Security Reduction: Cheating Prover to d-PDH
?
CheatingProver
crss s2 sd
αs αs2 αsd
✖αEnc(sd+2)
![Page 73: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/73.jpg)
73
d-PDH
Enc(s) Enc(s2) Enc(sd)
Enc(s2d)
Security Reduction: Cheating Prover to d-PDH
? Enc(sd+2)
CheatingProver
crss s2 sd
αs αs2 αsd
SSP
![Page 74: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/74.jpg)
74
d-PDH
Enc(s) Enc(s2) Enc(sd)
Enc(s2d)
Security Reduction: Cheating Prover to d-PDH
?
CheatingProver
SSP
crss s2 sd
αs αs2 αsd
i
Enc(βvi(s))
Enc(sd+2)
![Page 75: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/75.jpg)
75
d-PDH
Enc(s) Enc(s2) Enc(sd)
Enc(s2d)
Security Reduction: Cheating Prover to d-PDH
?
CheatingProver
SSP
crss s2 sd
αs αs2 αsdβvi(s)
B ĤŴ
W H
Enc(sd+2)
![Page 76: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/76.jpg)
76
d-PDH
Enc(s) Enc(s2) Enc(sd)
Enc(s2d)
Security Reduction: Cheating Prover to d-PDH
?
CheatingProver
SSP
crss s2 sd
αs αs2 αsdβvi(s)
h(x)
B ĤŴ
W H
V(x)
Enc(sd+2)
![Page 77: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/77.jpg)
77
d-PDH
Enc(s) Enc(s2) Enc(sd)
Enc(s2d) Enc(sd+2)
Security Reduction: Cheating Prover to d-PDH
?
CheatingProver
SSP
crss s2 sd
αs αs2 αsdβvi(s)
V(x) h(x)
B ĤŴ
W H
![Page 78: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/78.jpg)
78
d-PDH
Enc(s) Enc(s2) Enc(sd)
Enc(s2d)
Security Reduction: Cheating Prover to d-PDH
?
CheatingProver
SSP
crss s2 sd
αs αs2 αsdβvi(s)
h(x)
B ĤŴ
W H
V(x)
Enc(sd+2)
![Page 79: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/79.jpg)
79
d-PDH
Enc(s) Enc(s2) Enc(sd) Enc(s2d) Enc(sd+2)
Enc(sd+1)
Security Reduction: Cheating Prover to d-PDH
![Page 80: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/80.jpg)
Encodings: Publicly vs. Designated Verifiable
80
Publicly Verifiable Encoding:● linear operation using crs● quadratic root detection using crs● image verification using crs
Designated Verifiable Encoding:● linear operation using crs● quadratic root detection needs sk● image verification using crs
![Page 81: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/81.jpg)
Security: Types of encodings
81
Publicly Verifiable Encoding:● linear operation using crs● quadratic root detection using crs● image verification using crs
Designated Verifiable Encoding:● linear operation using crs● quadratic root detection needs sk● image verification using crs
crs ProverVerifier
Enc
![Page 82: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/82.jpg)
Security: Types of encodings
82
Publicly Verifiable Encoding:● linear operation using crs● quadratic root detection using crs● image verification using crs
Designated Verifiable Encoding:● linear operation using crs● quadratic root detection needs sk● image verification using crs
Prover Verifiercrs crs sk
ProverVerifier
Enc Enc Dec
![Page 83: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/83.jpg)
Security: Publicly Verifiable Encoding
crsProver
SSP
crsgs s2 sd g g
gαs αs2 g αsd g βvi(s) g
![Page 84: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/84.jpg)
Security: Publicly Verifiable Encoding
? Verifier
crs
crsProver
SSP
crsgs s2 sd g g
gαs αs2 g αsd g βvi(s) g
![Page 85: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/85.jpg)
Security: Designated Verifiable Encoding
85
crsProver
Epk(s) Epk(s2)Encryption:
Decryption:
Epk(sd)
Epk(αs) Epk(αs2) Epk(αsd)
SSP
crs Epk(βvi(s))
![Page 86: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/86.jpg)
Security: Designated Verifiable Encoding
86
Verifier
crssk
Epk(p(s)) Epk(h(s))
π ?
Epk(s) Epk(s2)Encryption:
Decryption:
Epk(sd)
Epk(αs) Epk(αs2) Epk(αsd)
SSP
crs Epk(βvi(s))
![Page 87: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/87.jpg)
Directions
87
Construction
SNARKsPost-quantum
SNARK
DifficultiesComparison
Open Problems
Conclusions
Directions
Motivation
![Page 88: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/88.jpg)
Lattice-based Encodings: Regev Encryption Scheme
88
Encryption:
Decryption:
error
![Page 89: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/89.jpg)
89
Encryption:
Decryption:
error
Lattice-based Encodings: Regev Encryption Scheme
E(m1+m2 )E(m1
)
error error
E(m2 )
error
![Page 90: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/90.jpg)
New Lattice Assumptions
90
= Enc(Σ pisi)
Es(P)p1 p2 pd
d-PKE
E(P) E(αP)
E(s) E(s2) E(sd)
E(αs) E(αs2) E(αsd)
![Page 91: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/91.jpg)
91
d-PDH
Assumption d-PDH
?
E(s) E(s2) E(sd)
E(sd+2) E(αs2d)
![Page 92: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/92.jpg)
Technical Aspects
92
E(s) E(s2) E(sd)
E(αs) E(αs2) E(αsd)
SSP
crs
d-PDH E(s) E(s2) E(sd)
E(βvi(s) )
error
![Page 93: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/93.jpg)
SNARKs: Further Directions
93
based on DLog in EC groupsnot quantum resistant
publicly-verifiablezero-knowledge
Standard SNARKs
based on lattice assumptionsdesignated-verifiablezero-knowledge
Post-Quantum SNARKs
![Page 94: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/94.jpg)
94
based on DLog in EC groupsnot quantum resistant
publicly-verifiablezero-knowledge
Standard SNARKs
based on lattice assumptionsdesignated-verifiablezero-knowledge
Post-Quantum SNARKs
post-quantum SNARKsPublicly Verifiable
?
SNARKs: Further Directions
![Page 95: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/95.jpg)
More trustful Cloud
95
Access from Anywhere
Storage guarantees: emergency backup
Integrity of the
computations
Privacy for your data
![Page 96: Verifiable delegated computation zk-SNARKs and Applicationsnitulesc/files/slides/SNARKs-Blockchains.pdf · Cloud: Available for Everything 4 Store documents, photos, videos, etc Ask](https://reader034.fdocuments.us/reader034/viewer/2022051916/600808213be72d6b690ef726/html5/thumbnails/96.jpg)
www.di.ens.fr/~nitulesc
THANK YOU