This document summarizes a talk on Sigma protocols and zero-knowledge proofs. Sigma protocols form the basis for building efficient zero-knowledge proofs. They allow a prover to convince a verifier that they know a secret witness for a statement, without revealing the witness. Schnorr's protocol is provided as a simple example of a Sigma protocol for proving knowledge of discrete logarithms. More advanced applications include building zero-knowledge proofs for statements involving AND, OR, and other logical combinations. Sigma protocols can also construct commitment schemes, non-interactive zero-knowledge proofs, and digital signatures when combined with cryptographic primitives like hash functions and random oracles.
Efficient Zero-Knowledge Proofs and Sigma Protocols
1. SPB Crypto Devs Meetup
Sigma Protocols and
Efficient Zero-Knowledge Proofs
Alexander Chepurnoy
IOHK Research
2. Motivating Example
● Alice publishes a commitment of a secret
● Alice passes a secret to Bob
● Bob wants to convince Carol he knows a secret
3. Motivating Example
● Anonymous voting
● Every vote is whether 0 or 1 encrypted
● To calculate a sum, additively homomorphic encryption
could be used
● But how to be sure only 0 or 1 is encrypted?
● Solution: a proof for each vote it is whether 0 or 1(without
revealing a value!)
4. ZKPoKs: What For
● Identification schemes
● Signatures
● Building block in many protocols(voting, anonymous
transactions etc)
5. ZKPoK
● Zero-Knowledge Proof of Knowledge
● Prover P, Verifier V, relation R
● Common input x
● P proves it knows a witness w for which (x,w) R∈
● Without revealing anything about it
● In practice, often inefficient and so avoided
6. Properties
● Completeness: a correct statement could be proven
● Soundness: it's not possible to prove incorrect statements
(with a non-negligible probability)
7. Σ-protocol, Generically
● P sends V a message a
● V sends P a random t-bit string e
● P sends a reply z, and V decides to accept or reject based
solely on the data it has seen; i.e., based only on the
values (x, a, e, z).
8. Theory Behind
● Ivan Damgard „On Sigma Protocols“
● Yehuda Lindell, Carmit Hazay „Efficient Secure Two-Party
Protocols: Techniques and Constructions“ (Book)
● Yehuda Lindell „Sigma Protocols and Zero Knowledge“
http://www.youtube.com/watch?v=nwsmG3S9wIc
9. Implementation
● ScAPI(Java/JVM) - The Secure Computation API
https://github.com/cryptobiu/scapi
● Protocols pseudocode
http://cryptobiu.github.io/scapi/SDK_Pseudocode.pdf
10. Example: Schnorr’s protocol
●
Σ-protocol for DLOG
● h = gw
● (p, q ,g, h) is common input
● First msg(P): a = gr
● Second msg(V): challenge c = random({0, 1}, t)
● Third message(P): z = r + ew mod q
● V checks if gz
= a * he
● Completeness: gz
= g(r+ew)
= gr
* (gw
)e
= a * he
11. Schnorr’s protocol
● Very efficient: just 3 exponentiations
● Proof-of-Knowledge protocol
● Not provably Zero-Knowledge
● but Honest Verifier Zero-Knowledge
● error 2-t
13. Example: Diffie-Hellman tuple
● Common input: (G,q,g,h,u,v,t)
● P knows w such as u = gw
, v = hw
● P sends out a = gr
, b = hr
● V sends out a challenge c = random({0, 1}, t)
● P sends out z = r + ew mod q
● V checks if gz
= a*ue
, hz
= b * ve
14. Run Properties
● Parallel execution: l parallel runs with challenge of size t is
equivalent to run protocols with challenge of size l*t
● Challenge could be of arbitrary size
17. OR Statement
● Prove one of two statements is true without revealing
which
● Based on simulation for a statement witness isn't known
for
18. Compound Statements
● OR of many statements (k out of n) is possible
● Any monotone formula, so any combination of ANDs and
ORs without a negation, is possible
20. Zero Knowledge From Σ-protocol
● Verifier needs to commit a challenge in prior to a fist
message from a Prover
●
With the commitment being added, a Σ-protocol becomes
provably Zero-Knowledge (details in the book of Lindell /
Hazay)
21. Zero Knowledge From Σ-protocol
●
Σ-protocol π
● V chooses a random t-bit challenge e and interacts with P via
the commitment protocol in order to commit to e
● P computes the first message a in π, using (x, w) as input, and
sends it to V
● V reveals e to P by decommitting
● P verifies the decommitment, computes the answer z in π, and
sends z to V
● V accepts if and only if transcript (a, e, z) is accepting in π on
input x
22. Commitment From Σ-protocol
● Verifier = receiver
● Prover = sender
● Set-up: V generates (x; w), sends x to P
● Commit: to commit to a t-bit string e. P runs simulator on
(x, e) to get (a, e, z) and sends a to V
● Open: to reveal the commitment, P sends (e, z) to V, V
checks (a, e, z)
24. Signature From Σ-protocol
● (x; w)
● public key x
● private key w
● message m
● e = R(a++m)
● (a, z) is a signature
● as hard to break as to compute w from x (in ROM)
25. Conclusion
● One template for many protocols
● Highly efficient
● Composable
● Provably secure
● Makes things easier
● Crypto is HARD anyway...