Zero-Knowledge Introduction to Proofs

Introduction to Zero-Knowledge

ProofsSarah BordageEcole Polytechnique and Inria

Chaire Blockchain & B2B PlatformsWorking Group - May 20, 2021

How can you prove that something is true, without revealing why it is true?

TD;LR : use randomness in order to hide secrets.

1

Zero-Knowledge Interactive Proof Systems [GMR85]- Prover P pretends that some statement s is true, e.g. “the 5th transaction in block 42 is correct.”- Verifier V asks questions to the prover P in order to challenge him. - If the prover P gives correct answers to any asked questions, then the verifier V gains confidence.

The resulting conversation is a zero-knowledge interactive proof if the following properties are satisfied:

Completeness If s is true, it must exist a way to convince V.

Soundness If s is false, there is no way P can convince V (except with small probability).

Zero-knowledge If s is true, V learns nothing more than this fact.

On top of that:If P proves that he knows some piece of information, e.g. “I know the password associated to Jane_Doe.”,it’s also a proof of knowledge.

2

Zero-knowledge proof: Sudoku

Initial puzzle

Prover P claims “I know a solution to this grid of Sudoku.”

3


Initial puzzle


1. P samples a random permutation 𝜎 : {1, …, 9} ↦ {1, …, 9}.For each cell with value x, P sends to V a commitment for the value 𝜎(x).

Prover’s solution Scrambled solution

3


Initial puzzle


1. P samples a random permutation 𝜎 : {1, …, 9} ↦ {1, …, 9}.For each cell with value x, P sends to V a commitment for the value 𝜎(x).

Prover’s solution Scrambled solution Committed grid

3

Zero-knowledge proof: Sudoku2. V samples a random challenge among 28 choices: a row, a column, a subgrid, or a “consistency check”3. P opens the corresponding commitments.

3. - If challenge was row/col/subgrid, V checks that all values are different.

4



4



- If challenge was consistency check, V checks: a. if two values were different, then the opened values are different, b. if two values were the same, then the opened values are the same.

Initial puzzle Opened values

4


P Vrandom challenge

response

accept / reject

commitment

5

Proving zero-knowledgeness

P V* S

indistinguishable

secretpublic

statement spublic

statement spublic

statement s

V learns nothing more from the proof… What does it means?

6

Proving zero-knowledgeness

Perfect zero-knowledge. For every efficient verifier V*, there exists an efficient simulator S such that for every true statement s, {transcript{(P, V*)(s)}} ≡ {SV*(s)}.

distributions are the same

P V*

secretpublic

statement s

real transcript S simulated

transcript

indistinguishable

public statement s

public statement s

S can run V* and rewind it

V learns nothing more from the proof… What does it means?

7

Proving knowledge soundness

P*E

secretw

public statement s

secret w

E can run P* and rewind it

V

public statement s

public statement s

accept

Proof of knowledge with knowledge error ε.There exists an efficient extractor E such that for every prover P*,

Pr [ EP*(s) outputs the secret w ] > Pr [P* convinces V ] - ε.

P knows a piece of information… What does it means?

8

ZKP for Sudoku: why it works● Completeness is straightforward.

● SoundnessIf the statement is false, then there is at least one question for which P cannot provide a correct answer.→ V accepts with proba at most 1 - 1/28.

mes to get 99% chances of rejecting a false claim.

● Zero-knowledgeIf challenge = row, column or subgrid: random permutation of {1, …, 9}.If challenge = consistency check: random injection of the predetermined values to {1, …., 9}.

● Proof of knowledge If P can convince a verifier with high probability, then P is able to answer all 28 possible questions.

9

Non-interactive ZKP using cryptographic hash function

10

public-coin ZK proof

P V

accept / reject


P Vchallenge r

commit c

response a

accept / reject

10

public-coin ZK proof

statement s statement ssecret w


P

secret w statement s

Vchallenge r

P

secret w

V

r = H(s, c)

(c, a)

commit c

response a

r = H(s, c)

c

a

accept / rejectaccept / reject

V

Random Oracle Model:assume cryptographic hash function H ≈ random function

public-coin ZK proof non-interactive ZK proofFiat-Shamir transform

10

statement sstatement s statement s

ZK proofs of computational integrity

Enable verifiable computing while keeping secrets

→ Proof of computational integrity + zero-knowledge proof of knowledge.

Additionally, we would also like: single message (no interaction) + “short” proof + “fast” verification.

● Theoretically, constructions are known since > 30 years (study of Interactive Proofs, Zero Knowledge Proofs, Probabilistically Checkable Proofs).

● Theory became truly practical ~5 years ago!

→ ZK-SNARK : Zero-Knowledge Succinct Non-interactive ARgument(1) of Knowledge

→ ZK-STARK : Zero-Knowledge Scalable Transparent ARgument of KnowledgeBased on long line of research: PCP theorem (90’s), sublinear-size NIZK (late 90’s), quasi-linear PCPs (2005), interactive oracle proofs (2016), fast univariate low-degree test (2018)

(1) Argument = proof which is sound against computationally bounded provers.

11

Let F be some program, x a public input, y a public output.Statement of the form “I know some secret input w such that F(x, w) = y.”

e.g. “I know w such that SHA256(w) = 0xdeadbeef...”




● Theoretically, constructions are known since > 30 years involve Interactive Proofs, Zero Knowledge Proofs, Probabilistically Checkable Proofs (PCPs), ...




(1) Argument = proof which is sound against computationally bounded provers.11











11









→ ZK-STARK : Zero-Knowledge Scalable Transparent ARgument of KnowledgeBased on long line of research: PCP theorem (90’s), sublinear-size NIZK (late 90’s), quasi-linear PCPs (2005), interactive oracle proofs (2016), fast univariate low-degree test (2018), ZK-STARK preprint (2018)


11



A simplified ZK-STARK example

Public input x ∊ 𝔽, number of steps TPrivate input an array K of T field elements

Program F(x, T, K): for i = 0 to T - 1:

x ← x*x + K[i] return x

input +x ← x*x

K[0]

+x ← x*x

K[1]

+x ← x*x

K[T-1]

output...

Given public input (x, T) and public output y, P must show that he knows secret array K such that F(x, T, K) = y.

ZK-STARK toy example

12


Execution trace

13

x K

x0 K[0]

x1 K[1]

x2 K[2]

... ...

xT-2 K[T-2]

xT-1 K[T-1]



ZK-STARK toy exampleGiven public input (x, T) and public output y, P must show that he knows secret K such that F(x, T, K) = y.

P computes two polynomials f0

(X) and f1

(X) of degree T such that for all t ∊ {0, …, T-1}, f

0

(t) = x

t

and f

1

(t) = K[t].Execution trace

13

x K

x0 K[0]

x1 K[1]

x2 K[2]

... ...

xT-2 K[T-2]

xT-1 K[T-1]



f

0

(X) f

1

(X)



(X) and f1


0

(t) = x

t

and f

1

(t) = K[t].

P and V define “constraint” polynomial C(X

0

, X

1

, Y

0

) = Y

0

- (X

0

2

+ X

1

)

and “locator” polynomial Z(X) = X(X-1)(X-2)⋅⋅⋅(X-(T-2)).

Execution trace

13

x K

x0 K[0]

x1 K[1]

x2 K[2]

... ...

xT-2 K[T-2]

xT-1 K[T-1]



C(x

t

, K[t], x

t+1

) = 0



(X) and f1


0

(t) = x

t

and f

1

(t) = K[t].


0

, X

1

, Y

0

) = Y

0

- (X

0

2

+ X

1

)


Execution trace

13

x K

x0 K[0]

x1 K[1]

x2 K[2]

... ...

xT-2 K[T-2]

xT-1 K[T-1]



X

0

X1

Y

0

C(x

t

, K[t], x

t+1

) = 0



(X) and f1


0

(t) = x

t

and f

1

(t) = K[t].


0

, X

1

, Y

0

) = Y

0

- (X

0

2

+ X

1

)


Execution trace

13

x K

x0 K[0]

x1 K[1]

x2 K[2]

... ...

xT-2 K[T-2]

xT-1 K[T-1]



X

0

X1

Y

0

C(x

t

, K[t], x

t+1

) = 0



(X) and f1


0

(t) = x

t

and f

1

(t) = K[t].


0

, X

1

, Y

0

) = Y

0

- (X

0

2

+ X

1

)


Execution trace

13

x K

x0 K[0]

x1 K[1]

x2 K[2]

... ...

xT-2 K[T-2]

xT-1 K[T-1]



X

0

X1

Y

0

C(x

t

, K[t], x

t+1

) = 0



(X) and f1


0

(t) = x

t

and f

1

(t) = K[t].


0

, X

1

, Y

0

) = Y

0

- (X

0

2

+ X

1

)


Observe that the execution trace is valid iff for all t ∊ {0, …, T - 2}, C(f

0

(t), f

1

(t), f

0

(t+1)) = 0 and f

0

(T - 1) = y,

Execution trace

13

x K

x0 K[0]

x1 K[1]

x2 K[2]

... ...

xT-2 K[T-2]

xT-1 K[T-1]





(X) and f1


0

(t) = x

t

and f

1

(t) = K[t].


0

, X

1

, Y

0

) = Y

0

- (X

0

2

+ X

1

)


Observe that the execution trace is valid iff for all t ∊ {0, …, T - 2}, C(f

0

(t), f

1

(t), f

0

(t+1)) = 0 and f

0

(T - 1) = y,

iff Z(X) divides C(f

0

(X), f

1

(X), f

0

(X+1))

and (X - (T - 1)) divides f

0

(X) - y,

iff g(X) = C(f

0

(X), f

1

(X), f

0

(X+1)) / Z(X) is a polynomial of degree T + 1 and h(X) = (f

0

(X) - y) / (X - (T - 1)) is a polynomial of degree T - 1.

Execution trace

13

x K

x0 K[0]

x1 K[1]

x2 K[2]

... ...

xT-2 K[T-2]

xT-1 K[T-1]



Recall: C(X

0

, X

1

, Y

0

) = Y

0

- (X

0

2

+ X

1

)

Z(X) = X(X-1)(X-2)...(X-(T-2))

g(X) = C(f

0

(X), f

1

(X), f

0

(X+1)) / Z(X) h(X) = (f

0

(X) - y) / (X - (T - 1))

P computes evaluation vectors (expected to be Reed-Solomon* codewords)w

0

:= (f

0

(x))

T ≤ x < 9T

w

1

:= (f

1

(x))

T ≤ x < 9T

w

g

:= (g(x))

T ≤ x < 9T

w

h

:= (h(x))

T ≤ x < 9T

P computes Merkle trees for vectors w0

, w1

, wg

, and wh

and sends to V the Merkle rootsH

0

= MerkleRoot(w

0

) H

1

= MerkleRoot(w

1

)

H

2

= MerkleRoot(w

g

) H

3

= MerkleRoot(w

h

)


14

Execution trace

x K

x0 K[0]

x1 K[1]

x2 K[2]

... ...

xT-2 K[T-2]

xT-1 K[T-1]



* Reed-Solomon code of length n, dim. d → eval univariate poly of degree < d on n points.

Recall: C(X

0

, X

1

, Y

0

) = Y

0

- (X

0

2

+ X

1

)

Z(X) = X(X-1)(X-2)...(X-(T-2))

g(X) = C(f

0

(X), f

1

(X), f

0

(X+1)) / Z(X) h(X) = (f

0

(X) - y) / (X - (T - 1))

P computes evaluation vectors (expected to be Reed-Solomon* codewords)w

0

:= (f

0

(x))

T ≤ x < 9T

w

1

:= (f

1

(x))

T ≤ x < 9T

w

g

:= (g(x))

T ≤ x < 9T

w

h

:= (h(x))

T ≤ x < 9T


, w1

, wg

, and wh


0

= MerkleRoot(w

0

) H

1

= MerkleRoot(w

1

)

H

2

= MerkleRoot(w

g

) H

3

= MerkleRoot(w

h

)

Consistency check:V samples s ∊ {T, …, 9T - 1} and asks for w

0

(s), w1

(s), w

0

(s+1), wg

(s), wh

(s) (with Merkle proofs)V checks that w

h

(s) = (w

0

(s) - y) / (s - 100) and w

g

(s) = C(w

0

(s), w

1

(s), w

0

(s+1)) / Z(s).


14

Execution trace

x K

x0 K[0]

x1 K[1]

x2 K[2]

... ...

xT-2 K[T-2]

xT-1 K[T-1]



* Reed-Solomon code of length n, dim. d → eval univariate poly of degree < d on n points.

Recall: C(X

0

, X

1

, Y

0

) = Y

0

- (X

0

2

+ X

1

)

Z(X) = X(X-1)(X-2)...(X-(T-2))

g(X) = C(f

0

(X), f

1

(X), f

0

(X+1)) / Z(X) h(X) = (f

0

(X) - y) / (X - (T - 1))

P computes evaluation vectors (expected to be Reed-Solomon codewords)w

0

:= (f

0

(x))

T ≤ x < 9T

w

1

:= (f

1

(x))

T ≤ x < 9T

w

g

:= (g(x))

T ≤ x < 9T

w

h

:= (h(x))

T ≤ x < 9T


, w1

, wg

, and wh


0

= MerkleRoot(w

0

) H

1

= MerkleRoot(w

1

)

H

2

= MerkleRoot(w

g

) H

3

= MerkleRoot(w

h

)


0

(s), w1

(s), w

0

(s+1), wg

(s), wh

(s) (with Merkle proofs)V checks that w

h

(s) = (w

0

(s) - y) / (s - 100) and w

g

(s) = C(w

0

(s), w

1

(s), w

0

(s+1)) / Z(s).

Low-degree test:P and V engage in a protocol LDT to show that w

0

, w1

, wg

and wh

are evaluations of low-degree polynomials.

In LDT, V queries only a logarithmic number of symbols w0

, w1

, wg

and wh

.


14

Execution trace

x K

x0 K[0]

x1 K[1]

x2 K[2]

... ...

xT-2 K[T-2]

xT-1 K[T-1]



Achieving zero-knowledgeBy querying a symbol of w

1

, V learns a linear relation involving the coefficients of f1

(X).

Each entry of w0

, w1

, wg

, and wh

reveal some information about secret input K.

ZK simulator?For any set of queried positions Q, we want the distribution of w0|Q, w1|Q, wg|Q and wh|Q to be the uniform distribution over field elements s satisfying

w

h

(s) = (w

0

(s) - y) / (s - 100) and w

g

(s) = C(w

0

(s), w

1

(s), w

0

(s+1)) / Z(s).

To achieve zero-knowledge against k-query bounded verifiers:

P computes polynomial f0

(X) and f1

(X) of degree T such that for all t ∊ {0, …, T-1},

f

0

(t) = x

t

and f

1

(t) = K[t].

P samples uniformly at random two polynomials f

0

(X) and f1

(X) of degree T + k such that for all t ∊ {0, …, T-1}, f

0

(t) = x

t

and f

1

(t) = K[t].

15

x K

x0 K[0]

x1 K[1]

x2 K[2]

... ...

xT-2 K[T-2]

xT-1 K[T-1]

f

0

(X) f

1

(X)

ZK against k-query bounded verifier.


16

Given public input (x, T) and public output y, P must show that he knows secret K such that F(x, T, K) = y.

P samples uniformly at random two polynomials f0

(X) and f1

(X) of degree T + k such that for all t ∊ {0, …, T-1}, f

0

(t) = x

i

and f

1

(t) = K[t].


0

, X

1

, Y

0

) = Y

0

- (X

0

2

+ X

1

)


Observe that the execution trace is valid iff for all t ∊ {0, …, T- 2}, C(f

0

(t), f

1

(t), f

0

(t+1)) = 0 and f

0

(T - 1) = y.

iff there exists D(X) such that C(f

0

(X), f

1

(X), f

0

(X+1)) = Z(X)D(X) and f

0

(T - 1) = z.

iff g(X) = C(f

0

(X), f

1

(X), f

0

(X+1)) / Z(X) is a polynomial of degree T + 1 + 2k and h(X) = (f

0

(X) - y) / (X - (T - 1)) is a polynomial of degree T - 1 + k.

Execution trace

x K

x0 K[0]

x1 K[1]

x2 K[2]

... ...

xT-2 K[T-2]

xT-1 K[T-1]



Recall: C(X

0

, X

1

, Y

0

) = Y

0

- (X

0

2

+ X

1

)

Z(X) = X(X-1)(X-2)...(X-(T-2))

g(X) = C(f

0

(X), f

1

(X), f

0

(X+1)) / Z(X) h(X) = (f

0

(X) - y) / (X - (T - 1))


0

:= (f

0

(x))

T ≤ x < 9T

w

1

:= (f

1

(x))

T ≤ x < 9T

w

g

:= (g(x))

T ≤ x < 9T

w

h

:= (h(x))

T ≤ x < 9T


, w1

, wg

, and wh


0

= MerkleRoot(w

0

) H

1

= MerkleRoot(w

1

)

H

2

= MerkleRoot(w

g

) H

3

= MerkleRoot(w

h

)


0

(s), w1

(s), w

0

(s+1), wg

(s), wh

(s). V checks that w

h

(s) = (w

0

(s) - y) / (s - 100) and w

g

(s) = C(w

0

(s), w

1

(s), w

0

(s+1)) / Z(s).


0

, w1

, wg

and wh



, w1

, wg

and wh

.



17

Same as before!

Execution trace

x K

x0 K[0]

x1 K[1]

x2 K[2]

... ...

xT-2 K[T-2]

xT-1 K[T-1]



Recall: C(X

0

, X

1

, Y

0

) = Y

0

- (X

0

2

+ X

1

)

Z(X) = X(X-1)(X-2)...(X-(T-2))

g(X) = C(f

0

(X), f

1

(X), f

0

(X+1)) / Z(X) h(X) = (f

0

(X) - y) / (X - (T - 1))


0

:= (f

0

(x))

T ≤ x < 9T

w

1

:= (f

1

(x))

T ≤ x < 9T

w

g

:= (g(x))

T ≤ x < 9T

w

h

:= (h(x))

T ≤ x < 9T


, w1

, wg

, and wh


0

= MerkleRoot(w

0

) H

1

= MerkleRoot(w

1

)

H

2

= MerkleRoot(w

g

) H

3

= MerkleRoot(w

h

)


0

(s), w1

(s), w

0

(s+1), wg

(s), wh

(s). V checks that w

h

(s) = (w

0

(s) - y) / (s - 100) and w

g

(s) = C(w

0

(s), w

1

(s), w

0

(s+1)) / Z(s).


0

, w1

, wg

and wh



, w1

, wg

and wh

.→ set k accordingly.



17

Execution trace

x K

x0 K[0]

x1 K[1]

x2 K[2]

... ...

xT-2 K[T-2]

xT-1 K[T-1]



ConclusionZero-knowledge: scramble the solution with randomness + maintain invariant for verification.

ZK-STARKs

● Exponentially small verification of correctness of a program execution ● Quasilinear prover (finite field arithmetic + hash functions)● No trusted setup● Post-quantum security● Cairo: Turing-complete language to write programs directly verifiable with STARK proofs.

A story for another day: ZK-SNARKs

● Constant-size proof, constant-time verification (pre-processing with trusted setup)● Heavy cryptography (pairings, strong assumptions)

18

Thank you!

StarkEx by - Ethereum L2 scalability solution based on validity proofs (see ZKRollups)- Self-custodial transactions (trading & payments) for applications such as DeFi

Cairo: a Turing-complete language to write programs directly verifiable with STARKs proofs. Source: https://docs.starkware.co/starkex-docs-v2

https://docs.starkware.co/starkex-docs-v2

Documents

Zero-Knowledge Introduction to Proofs