Suyash Bagad
Cryptography Engineer
Zero Knowledge Proofs & One-way Functions
Aztec Study Club - 1
09 Feb 2022
Proof of Knowledge
Coke from Bottle
Coke from Can
Victor
Peter
\(x\)
\(V\)
\(P\)
Coke from Can
Victor
Peter
Guess?
Bottle!
\langle P, V \rangle (x) = \begin{cases}
1 & \text{if } V \text{ accepts} \\
0 & \text{if } V \text{ rejects}
\end{cases}
Proof of Knowledge
Proof of Knowledge
Coke from Bottle
Coke from Can
Victor
Peter
Try again!
Proof of Knowledge
Coke from Bottle
Victor
Peter
Can!
If \(P\) actually knows the taste, \( \Pr[ \langle P,V \rangle(x) = 1 ]\) = 1
If \(P\)'s claim is wrong, \( \Pr[ \langle P,V \rangle(x) = 1 ] = \left(\frac{1}{2}\right)^2 \)
\(\implies\) Completeness!
\(\implies\) Soundness!
Zero Knowledge Proofs
Zero Knowledge Proofs
Reveal!
Zero Knowledge Proofs
Zero Knowledge Proofs
Zero Knowledge Proofs
Zero Knowledge Proofs
Reveal!
Zero Knowledge Proofs
Zero Knowledge Proofs
On repeating the experiment a number of times,Â
- If the prover is honest, verifier accepts!
- If the prover is cheating, verifier will catch it!
- No information about 3-colouring is revealed!
- 3-colouring \(\equiv\) witness
- Graph \(\equiv\) circuit
\(\text{Completeness,}\)
\(\text{Soundness,}\)
\(\text{Zero-Knowledge!}\)
Interactive Demo
Passwords
| qwerty | 5GoMDX3Gf0isYiaju1xUjg== | 65e84be33532....f58ee02337c5 |
| 123456 | 5EegZyYU+YzqFuT9OVCnDw== | 8d969eef6eca....0c923adc6c92 |
| #hq9283ja!62 | HDVQ59KJNL/YV1v15zQLug== | bb30ecf30bbb....83f101292810 |
Plaintext
Encryption \((\text{AES})\)
Hashing \((\text{SHA-}256)\)
Hash Functions
\(\texttt{Input}\)
\(\texttt{Output}\)
\(\texttt{SHA3 }(\text{Keccak})\)
Hash Functions
- Hash functions have three properties
- Fast to compute: \(y = H(x)\)
- Collision resistance: \(H(x) = H(x') {\ \;\not\!\!\!\implies \ } x \neq x'\)
- Pre-image resistance: \(y = H(x) {\ \;\not\!\!\!\implies \ } x\)
- A modern GPU can compute \(\approx 29\times 10^7\) hashes per second
- Brute force attack?
\(\text{SHA-}3(\hspace{2cm}) = \Big(\hspace{4.8cm}\Big)\)
\(\texttt{b27ensk=wh}\)
\(\texttt{b654e400924d2d43b0b49b6beb52cd96}\)
\(\texttt{c983e26536eb455f80e2ab7fe07827a8}\)
\(\texttt{2bd0650eae8e3e9bda13c067f08da778}\)
\(\texttt{9624f52e63757ce0db5da6940c0c74e1}\)
\(\texttt{tbsowsn293nsj}\)
\(\texttt{089f29913f16c3cea73116b3445d2244}\)
\(\texttt{97fea922c4c501f1cd965cfd921c1a4d}\)
\(\texttt{92528721816}\)
- What if two persons use a same password?
Practical Hashing
\(\texttt{2258711681eb2d82bdcd3d2f979fb267}\)
\(\texttt{d1fc94d0bd2668a8a0c04432d9e38e23}\)
\(\texttt{4d83aa3cc95a7277073a27fa6df6422b}\)
\(\texttt{9eddf7bd5eeb7c2b900ba5d40259adfc}\)
- But how can we neutralise brute force attacks?
\(\text{scrypt/argon2} \big( \textcolor{lightgreen}{\texttt{password}},\ \textcolor{orange}{\texttt{salt}},\ \textcolor{cyan}{\texttt{rounds}}\big) \)
- Allowing same passwords for different users
\(\text{SHA-}3(\textcolor{lightgreen}{\texttt{qwerty}},\ \textcolor{orange}{\texttt{sG5ks7}}) = \Big(\hspace{4.8cm}\Big)\)
\(\text{SHA-}3(\textcolor{lightgreen}{\texttt{qwerty}},\ \textcolor{orange}{\texttt{6fbj1\&}}) = \Big(\hspace{4.8cm}\Big)\)
password
salt
Practical Hashing
\(\texttt{password}\)
\(\text{SHA-}256\)
\(\text{argon2}\)
\(\text{AES encrypt}\)
Application in Aztec
UTXO note in Aztec
\(\textsf{C} = H_{\text{Pedersen}}\Bigg[ \hspace{2.6cm} \Bigg]\)
Commitment to a note, only collision resistant
\(\textsf{N} = H_{\text{Blake2}}H_{\text{Pedersen}}\big( \textsf{C} \big)\)
Nullifier of a note, collision and pre-image resistant
\(\textsf{E} = \text{AES}_{\text{CBC}, k}\Bigg[ \hspace{2.3cm} \Bigg]\)
Note encryption, to be decrypted by the receiver
Summary
- We saw simple examples of ZKPs
- Proofs of Knowledge
- 3-Colouring of a graph
- Hash functions vs encryption
- Practical password management
- Application in Aztec
- In the next discussion:
- Elliptic curve cryptography
Aztec Study Club 1 - ZKPs
By Suyash Bagad
Aztec Study Club 1 - ZKPs
Aztec Study Club's first presentation on Zero Knowledge Proofs and One-way functions.
