MPC-based zero-knowledge proof protocol

references:

1. Jawurek , M. , F. Kerschbaum , and C. Orlandi . 2013. “Zero-knowledge using garbled circuits: how to prove non-algebraic statements efficiently”. In: ACM CCS 13: 20th Conference on Computer and Communications Security . Ed. by A.-R. Sadeghi, VD Gligor, and M. Yung. ACM Press. 955–966.
2. Evans D, Kolesnikov V, Rosulek M. A pragmatic introduction to secure multi-party computation[J]. Foundations and Trends® in Privacy and Security, 2018, 2(2-3): 70-246.
3. Applied Cryptography: Protocols, Algorithms, and C Source Programs (Daheipi of Jigongshe)

CPC

The basic definition of the zero-knowledge proof protocol is in this article .

interactive

Recently I saw another expression describing ZKP:

1. Verifier has a hard problem instance $H_1$, Prover declares that he owns $H_1$Solution $S_1$
2. Prover use $1$ random number$r$ , this puzzle instance$H_1$, transforming into another isomorphic hard problem instance $H_2$. At the same time, according to $S_1$and $r$ , get the corresponding solution$S_2$
3. Prover pair solution $S_2$Make a commitment, then assign the puzzle $H_2$and commitment value $c$ are sent to Verifier
4. Verifier randomly asks Prover to give Proof of one of the following two statements:
   1. Prover is required to prove that two puzzles are isomorphic, $H_1\cong H_2$
   2. Ask Prover to disclose $S_2$, and prove that $S_2$is $H_2$the correct solution for
5. Prover gives the required Proof, and Verifier verifies it
6. Both execute nn repeatedly$n$ times step 1 ~ step 5, until Verifier believes that Prover does have$S_1$(In general, $n=10$ is fine)

Completeness : Honest Prover has $S_1$, he can always give the two Proofs required in step 4, so Verifier will eventually believe him.

Reliability : A malicious Prover who doesn't have $S_1$, in order to pass the verification of step 4, he has to guess the choice of Verifier. If it is guessed that Verifier will execute step 4.1, then the adversary chooses a H 2 ≅ H 1 H_2 \cong H_1 in step 2$H_2\cong H_1$, and he does not own the corresponding $S_2$. If it is guessed that Verifier will execute step 4.2, then the adversary randomly generates a difficult problem H 2 ′ H_2’ in step 2$H_2^{\prime }$And the corresponding solution $S_2^{\prime }$, but at the same time he could not prove that $H_1\cong H_2^{\prime }$。

Zero-knowledge : A malicious Verifier cannot convince the third-party Alice of the validity of the above Proof. Assuming that the adversary uses a camera to record every step of the protocol, even if the video shows that Prover always gives the correct Proof, Alice can always question it: whenever Prover guesses correctly, Verifier keeps the video; whenever Prover guesses wrong , Verifier deletes the video. People cannot tell the difference between real records (in the real world) and fake records (in the ideal world)!

It has been proven that:

1. Any NP proposition contains a ZKP
2. Any mathematical proof can be transformed into a ZKP
3. Anything that can be done with interactive proofs can also be done with interactive ZKPs

non-interactive

The reason why Alice does not believe it above is that she did not intervene in the interaction of the ZKP. In order for a Prover to convince anyone of his Proof, he needs a non-interactive ZKP . Whenever Prover releases Proof, anyone can verify whether the Proof is valid (identity authentication protocol, signature protocol).

Using the Hash function $H$ replaces Verifier:

1. Prover claims to own a hard problem instance $H$ 's solution$S$
2. Prover utilizes $n$ random numbers{ ri } \{r_i\}{ ri​} , this puzzle instance$H$ , transformed into a random$n$ isomorphic problem instances{ H i } \{H_i\}{ Hi​} . At the same time, according to$S$ -sum$\left\{r_i\right\}$ , get the corresponding solution{ S i } \{S_i\}{ Si​}
3. Prover pair solution $\left\{S_i\right\}$ make a commitment, then assign the hard problem{ H i } \{H_i\}{ Hi​} and commitment value{ ci } \{c_i\}{ ci​} are public
4. Prover calculates b = H ( { ci } ) b = H(\{c_i\})b=H({ ci​}) , intercept the front$n$ ratio$b=b[1:n]$ , then according tob [ i ] ∈ { 0 , 1 } b[i] \in \{0,1\}b[i]∈{ 0,1 } gives a Proof of one of the following two declarations:
   1. This $b[i]=0$ , Prover proves that the two problems are isomorphic,$H\cong H_i$
   2. This $b\left[i\right]=1$，Prover public$S_i$, and prove $S_i$Is $H_i$the correct solution for
5. Prover announced the nn in step 4$n$ Proofs, anyone can verify it: first according to{ ci } \{c_i\}{ ci​} Calculate$b$ , and then check the$Whether\; the\; i$ Proof is about$b\left[i\right]$ Legal proof of claim.

HH here$H$ playsan unbiased random bit generator. If the malicious Prover does not own$S$ , then he can only give at most one Proof in step 4, but not all Proofs at the same time, so in order to deceive, he must be able to predictHHoutput of$H.$

Of course, Prover (not Verifier) ​​picks $b$ , so the adversary can completely randomly guessbbex nnof$b$$n$ bits, then try different{ S i } \{S_i\}{ Si​} combination until all guess$n$ bits. At this point, the adversary can give a legal Proof. In order to resist the adversary's exhaustive attack, we need to use$The\; n$ setting is relatively large, such as$64,128$

JKO（2013）

ZKP can be used as a special malicious secure computation , according to the statement $y$ constructs the circuit$C(\cdot ,y)$（$C(x,y)=1⟺(x,y)\in R$ ), where evidence xxis entered as a party to the Prover$x$ , the Verifier side does not input anything, and the final circuit result is$C(x,y)$ output to Prover.

It is obvious that the aforementioned malicious adversary-safe two-party computation can always be achieved by using any cut-and-choose-based 2PC protocol . However, the 2PC protocol that directly uses C&C technology, the corresponding confusion circuit is too huge.

Jawurek, Kerschbaum and Orlandi observed: Since Verifier has no input, if he is asked to generate GC, then this GC can be used for checking and evaluation at the same time : to reverse the role, we let Verifier generate a Yao's Garbled Circuit , although Prover can Observing all the labels, you can theoretically obtain any plaintext input bits of the Verifier, but the Verifier has no privacy input at all. Therefore, it is only necessary to set the repetition factor as $r=1.$ The size of the confusion circuit under C&C technology is greatly reduced.

The JKO agreement is as follows:

1. Verifier $P_1$Base $C(\cdot ,y)$ of$1$ obfuscation circuit GC, sent to Prover$P_2$
2. $P_2$Get xx with OT protocolFor the confusing input corresponding to$x$ , the calculation circuit obtains the proof result v ∈ { 0 , 1 } v \in \{0,1\}v∈{ 0,1 } 's obfuscated output$k_{out}^v$
3. $P_2$对$k_{out}^v$To make a commit , only commit the value $c=commit(k_{out}^v,r)$ send to$P_1$
4. received $After\; c$ ,$P_1$Turn on GC, $P_2$to check that it is correct,
   1. If the circuit is correct, then $P_2$发送$(k_{out}^v,r)=decommit\left(c\right)$ forP 1$P\_1$$P_1$
   2. If the circuit is wrong, then $P_2$Terminate the agreement (malicious Verifier found)
5. $P_1$Verify that the uncommitment is legal,
   1. If legal, $P_1$Output label $k_{out}^v$The corresponding plaintext output $v$（当$v=1$ ,$P_1$Believe $P_2$Prove that $(x,y)\in R$）
   2. If illegal, $P_1$output $0$ (malicious Prover found)

Obviously the above non-interactive ZKP protocol is complete. Its security is discussed below:

1. secure against a cheating verifier (reliability): Before Verifier turns on GC, Prover has made a commitment to the output result, so it is difficult for a malicious Prover not to know $In\; the\; case\; of\; x,$ kout 1 k_{out}^1is calculated$k_{out}^1$
2. secure against a cheating prover (zero-knowledge): Only when the Prover verifies that this GC is indeed a circuit $C(\cdot ,y)$ before revealing the final calculation result$k_{out}^v$, so Verifier cannot use the wrong circuit to learn about xxany information about$x\; .$