ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014...
-
Upload
margery-neal -
Category
Documents
-
view
219 -
download
2
Transcript of ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014...
![Page 1: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/1.jpg)
ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA
USENIX SECURITY SYMPOSIUM 2014
Succinct Non-Interactive Zero Knowledge
for a von Neumann Architecture1
![Page 2: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/2.jpg)
Outline
Warm-up exampleProblem definitionContribution EvaluationComparisonQuestion time
2
![Page 3: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/3.jpg)
What is zero knowledge proof
Interactive zero knowledge proof theoretical systems where a first party ('Prover')
exchanges messages with a second party ('Verifier') to convince the Verifier that some mathematical statement is true.
Properties Completeness: honest prover can convince the verifier Soundness: no cheating prover can convince the
verifier Zero-knowledge: no cheating verifier learns anything
other than the fact that the fact is true/false
3
![Page 4: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/4.jpg)
Example
AT&T want to assign frequency optimally across base stations
Seeking help from Google No pay until knowing them have the coloring No solution until they are paid up
4
![Page 5: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/5.jpg)
Solve the dilemma
Zero knowledge proof AT&T place empty chart in the room and leave Google walk in, shuffle the pens, color and cover node
by hats AT&T walk in, challenge one of the edges Repeat until confidence is high enough
5
![Page 6: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/6.jpg)
Non-interactive zero knowledge proof
Problem with interactive solution No conversation, no proof Cannot maintain conversation with many verifiers
Desired properties Solution and proof achieved in one pass
6
![Page 7: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/7.jpg)
Non-interactive solution
Let Google prepare a sequence of color pairs Trivial to cheat: modifying the coloring whenever adjacent nodes
conflict An extra mile – no control over the edge sequence
Solution Take all the commitments from proof iterations, join them into a
batch Compute the hash of the batch, and treat the hash as if it was a
sequence of integers
hash
7
![Page 8: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/8.jpg)
Problem definition
Security problem A client owns a public input x A server owns private input DB Client wishes to learn z = A(x,DB) for problem A
known to both parties Integrity vs. confidentiality
8
![Page 9: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/9.jpg)
More than that
Universality “hash” function for all kinds of problems
Efficiency Interfacing problem to a universal setting Conduct efficient proving & verfication
9
![Page 10: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/10.jpg)
General Solution10
![Page 11: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/11.jpg)
General Solution11
![Page 12: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/12.jpg)
Circuit generation
Limitation of prior work Per program key generation Limited support to high level language
Proposal One setting for all problem Python? A mini von Neumann architecture: vnTinyMem
12
![Page 13: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/13.jpg)
Circuit generation
Goal Validity of instruction fetch Validity of instruction execution Validity of memory access
13
![Page 14: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/14.jpg)
Circuit generation
Approach CPU operation states (registers S and instruction I) Trace = (S1, I1, … ST, IT) Non-deterministic rounting
14
![Page 15: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/15.jpg)
SNARK for circuit
Tailored implementation of underlying components Finite-field arithmetic, elliptic-curve group arithmetic,
pairing-based checks, and so on
Performance
15
![Page 16: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/16.jpg)
Evaluation
Circuit generator Additive dependence of program size Most gates dedicated to check execution
16
![Page 17: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/17.jpg)
Evaluation
SNARK Low time consumption per
gate Small proof/key size
17
![Page 18: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/18.jpg)
Comparison
Pinocchio: Nearly Practical Verifiable Computation Similar proof tool chain workflow Constant proof size Circuit generation: program analysis
Restrict loop iteration bounds and memory accesses to be known at compile time
Good for circuit-like routines Bad for memory intensive programs
18
![Page 19: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/19.jpg)
Comparison
Pantry: Verifying computations with state Re-implemented protocol in “Pinocchio”, allow data
dependent memory access Extend verifiable map-reduce framework Gate consumption is high for memory accesses Also rely on program analysis
19
![Page 20: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/20.jpg)
Comparison
TRUESET: Faster Verifiable Set Computations Mixture arithmetic gates and set gates Specialized in set operation (SQL subset)
Intersection, union and set difference Input specific runtime
20
![Page 21: ELI BEN-SASSON, ALESSANDRO CHIESA, ERAN TROMER AND MADARS VIRZA USENIX SECURITY SYMPOSIUM 2014 Succinct Non-Interactive Zero Knowledge for a von Neumann.](https://reader036.fdocument.pub/reader036/viewer/2022062407/56649d825503460f94a6767c/html5/thumbnails/21.jpg)
Thank you
Question & answer
21