Zero-Knowledge Argument for Polynomial Evaluation with Applications to Blacklists

Stephanie Bayer

Jens Groth

University College London

Polynomial

𝑣

𝑢

(𝑢 ,𝑣 )

Zero-knowledge argument for correct polynomial evaluation

Statement:

such that

Prover Verifier

Witness

SoundnessStatement is true

Zero-knowledgeNothing else revealed remains secret

𝑣𝑢

Membership and non-membership proofs

• List and• Define

• If then – Prove where committed trivially

• If then – Prove where and prove

𝑢

𝑢0

𝑢𝑣

Zero-knowledge argument for correct polynomial evaluation

Statement:

such that

Prover Verifier

Witness Special honest-verifier zero-knowledgeGiven any challenge possible to simulate the argument

𝑣𝑢

3-move argument

Public coinVerifier picks challenge

Argument of knowledgeCan extract such that

Easy to convert to full zero-knowledge

Commitment properties

• Additively homomorphic

• SHVZK argument for multiplicative relationship

• Examples– Pedersen commitments – ElGamal-style commitments

𝑎 𝑏⋅ ¿ 𝑎+𝑏

𝑎 𝑏 𝑎𝑏

Simple SHVZK argument for correct polynomial evaluation

Horner’s rule gives us

Commit to the intermediate values and prove correct

𝑣

𝑢

𝑎𝐷− 1+𝑢𝑎𝐷

𝑢(𝑎𝐷−1+𝑢𝑎𝐷))

𝑎1+𝑢…

𝜋mult𝜋mult

Efficiency – using Pedersen commitments

Degree D polynomial Rounds Prover Verifier Comm.

Chaum and Ped. 1992 3 expo. expo. group

Brands et al. 2007 3 . expo. group

Degree D polynomial Rounds Prover Verifier Comm.

This work 3 expo. mul.

expo. mult.

group field

Rewriting the polynomial

Prover wants to demonstrate

Without loss of generality

Write in binary to get

Commit to powers of

𝑢 𝑢2 𝑢4 𝑢2𝑑

𝜋mult 𝜋mult 𝜋mult

…

…

commitments and arguments

Zero-knowledge argument of knowledge of power of

Statement:

Accept if opens to

Witness 𝑢2

𝑗

𝑓 𝑗

𝑓 𝑗←𝒁 𝑝 𝑥←𝒁𝑝𝑥

𝑓 𝑗=𝑥𝑢2𝑗

+ 𝑓 𝑗

𝑢2𝑗 𝑓 𝑗

𝑥⋅

KnowledgeAnswers to 2 challenges

would reveal

Zero-knowledge is uniformly random regardless of

Masked powers of

𝑢 𝑢2 𝑢4 𝑢2𝑑

…

𝑓 0=𝑥𝑢20

+ 𝑓 0

𝑓 1=𝑥𝑢21

+ 𝑓 1

𝑓 2=𝑥𝑢22+ 𝑓 2

𝑓 𝑑=𝑥𝑢2𝑑

+ 𝑓 𝑑

A helpful polynomial

𝛿𝑑 𝛿1 𝛿0…𝑣

CompletenessIf prover okSoundnessIf prover fails

commitments

SHVZK argument for point on polynomial

∑𝑖𝑑 ,… ,𝑖0=0

1

𝑎𝑖𝑑… 𝑖0∏𝑗=0

𝑑

𝑓 𝑗𝑖 𝑗 𝑥1− 𝑖 𝑗Accept if is inside

𝑥←𝒁𝑝

𝑓 𝑗=𝑥𝑢2𝑗

+ 𝑓 𝑗

Statement: such that 𝑣𝑢

𝛿𝑑 𝛿1 𝛿0…

𝑣 𝛿𝑑 𝛿1 𝛿0…𝑥𝑑+1

⋅𝑥𝑑

⋅𝑥⋅⋅

Soundness

SHVZK argument for polynomial evaluation

• 3-move public coin argument• Simple setup with commitment key • Perfect completeness• Comp. soundness based on discrete log. problem• Perfect special honest verifier zero-knowledge

Statement: such that 𝑣𝑢

Efficiency – using Pedersen commitments

Degree D polynomial Rounds Prover Verifier Comm.

This work 3 expo. mul.

expo. mult.

group field

Degree D Rounds Prover Verifier Comm.

10 3 13 ms 17 ms 8 KB

100 3 24 ms 30 ms 15 KB

1000 3 41 ms 45 ms 21 KB

10000 3 182 ms 81 ms 29 KB

100000 3 1,420 ms 217 ms 35 KB

1000000 3 15,512 ms 1,315 ms 41 KB

256-bit subgroup modulo 1536-bit prime on MacBook, 2.54 GHz