Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.
Wählen Sie Textabschnitte aus um mit Künstlicher Intelligenz passenden Patente zu finden.
powered by
Markieren Sie Textabschnitte, um KI-gestützt weitere passende Inhalte zu finden.
powered by
Abstract
Zero-knowledge (ZK) proofs (ZKP) have received wide attention, focusing on non-interactivity, short proof size, and fast verification time. We focus on the fastest total proof time, in particular for large Boolean circuits. Under this metric, Garbled Circuit (GC)-based ZKP (Jawurek et al., [JKO], CCS 2013) remained the state-of-the-art technique due to the low-constant linear scaling of computing the garbling.
We improve GC-ZKP for proof statements with conditional clauses. Our communication is proportional to the longest branch rather than to the entire proof statement. This is most useful when the number \(m \) of branches is large, resulting in up to factor \(m \times \) improvement over JKO.
In our proof-of-concept illustrative application, prover \(\mathsf {P}\) demonstrates knowledge of a bug in a codebase consisting of any number of snippets of actual C code. Our computation cost is linear in the size of the codebase and communication is constant in the number of snippets. That is, we require only enough communication for a single largest snippet!
Our conceptual contribution is stacked garbling for ZK, a privacy-free circuit garbling scheme that can be used with the JKO GC-ZKP protocol to construct more efficient ZKP. Given a Boolean circuit \(\mathcal {C}\) and computational security parameter \(\kappa \), our garbling is \(L\cdot \kappa \) bits long, where L is the length of the longest execution path in \(\mathcal {C}\). All prior concretely efficient garbling schemes produce garblings of size \(|\mathcal {C} |\cdot \kappa \). The computational cost of our scheme is not increased over prior state-of-the-art.
We implement our GC-ZKP and demonstrate significantly improved (\(m \times \) over JKO) ZK performance for functions with branching factor \(m \). Compared with recent ZKP (STARK, Libra, KKW, Ligero, Aurora, Bulletproofs), our scheme offers much better proof times for larger circuits (35-\(1000\times \) or more, depending on circuit size and compared scheme).
For our illustrative application, we consider four C code snippets, each of about 30–50 LOC; one snippet allows an invalid memory dereference. The entire proof takes 0.15 s and communication is 1.5 MB.
Anzeige
Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.
[CGKS95] includes a PIR protocol where two non-colluding servers separately respond to a client’s two random, related queries by XORing elements of their result sets (and the client XORs out the true answer).
To be more precise, in the notation of Kolesnikov [Kol18], the function encoding \(F=(T,E)\) consists of function topology T (thought of as the Boolean circuit) and cryptographic material E (e.g., garbled tables). In our work, the cryptographic material E is proportional to the longest execution path.
For the reader familiar with the BHR notation, we provide the following discussion. In BHR, the function encoding F must (implicitly) include a full description of the function, i.e., it must include a description of each clause. In this sense, F is also proportional to the full size of the function. However, compared to the cryptographic material needed for the longest clause, this function description (which can be thought of as a Boolean circuit \(\mathcal {C}\) computing f) is small. Formally, the size of the circuit description is constant in \(\kappa \). Most importantly, implementations can assume that circuit descriptions are known to both players, and therefore need not transmit them (or treat them separately).
As discussed in Sect. 2, by XOR we mean length-aware XOR, where shorter clauses are padded with zeros so that all clauses are bitstrings of the same length.
Including the function description f is a formality to fit the BHR interface. In practice, f is often known to both parties and need not be explicitly handled/transmitted.
In fact, since we use half gates we can use the Free XOR extension [KS08]. Therefore, each clause has only one label for each input bit and one global \(\varDelta \) value that separates 0 bit labels from 1 bit labels. Our implementation stacks the \(\varDelta \) from each clause as part of the stacked projective garbling.
In the full version of this paper, we will discuss probabilistic correctness and the changes to our approach that are necessary to account for this probabilistic notion.