CN114006702B - Zero knowledge proof segmentation circuit and information verification method - Google Patents
Zero knowledge proof segmentation circuit and information verification method Download PDFInfo
- Publication number
- CN114006702B CN114006702B CN202111281903.8A CN202111281903A CN114006702B CN 114006702 B CN114006702 B CN 114006702B CN 202111281903 A CN202111281903 A CN 202111281903A CN 114006702 B CN114006702 B CN 114006702B
- Authority
- CN
- China
- Prior art keywords
- circuit
- verification
- privacy
- information
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3218—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Medical Informatics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention belongs to the technical field of data protection, and particularly relates to a zero knowledge proof segmentation circuit and a method for verifying information by adopting the zero knowledge proof segmentation circuit. A zero knowledge proof dividing circuit comprises a first executing circuit and a second executing circuit which are divided by a zk-SNARK circuit; the first execution circuit is used for inputting information to be verified and a certification key to obtain a first certification; the second execution circuit is used for obtaining a second proof; the first certificate and the second certificate are used for verification by a verifier to realize verification of information to be verified; wherein the first attestation comprises a privacy intermediate value; the second proof comprises a public output value; the public output value is generated by the second execution circuit from the input privacy intermediate value. The invention divides the zk-SNARKs circuit, and can obviously reduce the memory occupation of the zero knowledge proof live stage after division. A hash circuit is added to ensure the authenticity of the data and prevent the data from being tampered.
Description
Technical Field
The invention belongs to the technical field of data protection, and particularly relates to a zero knowledge proof segmentation circuit and a method for verifying information by adopting the zero knowledge proof segmentation circuit.
Background
Zero knowledge proof refers to the ability of a prover to trust that a certain assertion is correct without providing the verifier with any useful information. It brings a privacy solution that enables a prover to persuade a verifier to verify a series of sentences without revealing the necessary information. For example, a person may prove that he/she has access to a room by proving that the identity or biometric information meets certain access rules, while maintaining the privacy of the user information. In blockchain applications based on zero knowledge proof, there are many privacy protection technologies, especially in the financial field, such as zeroflash, de-centralised anonymous payments, blocksize. These applications can protect information (e.g., sender and receiver identities, transfer amounts) from leakage without eliminating the transparency that blockchain brings. Besides finance, the zero knowledge proof is widely applied to applications such as a decentralised file system, a smart grid, traffic management, and tracing of a COVID-19 contactor.
zk-snare (compact non-interactive zero knowledge proof) is a mainstream zero knowledge proof circuit. As shown in fig. 1, a zk-snare system is typically used to prove that a prover knows that a secret value w satisfies F (x, w) =true, where F refers to a zero knowledge proof circuit similar to a function, x represents the public input, and w is the private input.
zk-SNARKs generally involve the following three processes:
(1) Initialization phase Setup: setup (1) κ F) → (pk, vk). This stage is for a given one of the security parameters 1 κ And a zk-snare circuit F, generating public parameters (consisting of a certification key pk and a verification key vk) by a trusted third party.
(2) The proving stage Prove: prove (F, x, w, pk). Fwdarw.pi.. At this stage, given a zero knowledge proof circuit F, public input x, privacy input w and a proof key pk, the prover (prover) outputs a proof pi of constant size for proving F (x, w) =true without revealing any information about w.
(3) Verification stage Verify: verify (x, pi, vk) → {0,1}. At this stage, given the public input x, the proof pi and the validation key vk, the validator (verifier) outputs a 1 if and only if the proof pi passes validation.
The zk-SNARK zero knowledge described above proves to be generally inefficient in terms of CPU time and memory usage, and particularly in the initialization and attestation stages, requires a large amount of memory and consumes a lot of time. Therefore, the verifier must be powerful in both computing power and memory space. The huge memory consumption limits the application of zk-SNARKs in the fields of edge computing, internet of things and the like which have limited resources. For example, edge devices are collecting large amounts of sensitive data from users, and zero knowledge techniques cannot protect the privacy of users due to the limited memory space that the edge nodes possess. For the same reason, a typical smartphone user cannot be a prover of large-scale zero-knowledge proof.
Disclosure of Invention
The invention aims to solve the defects of large memory occupation, long time consumption and low efficiency of the existing zk-SNARK zero knowledge proving circuit, and optimizes the zero knowledge proving circuit on the basis of zk-SNARK.
In order to achieve the above purpose, the technical scheme adopted by the invention is as follows: the device comprises a first executing circuit and a second executing circuit which are divided by a zk-SNARK circuit; the first execution circuit is used for inputting information to be verified and a certification key to obtain a first certification; the second execution circuit is used for obtaining a second proof; the first certificate and the second certificate are used for verification by a verifier to realize verification of information to be verified; wherein the first attestation comprises a privacy intermediate value; the second proof comprises a public output value; the public output value is generated by the second execution circuit from the input privacy intermediate value.
Further, a first hash circuit connected with the first execution circuit generates a first hash value and a privacy intermediate value according to the input information to be verified; the second hash circuit connected with the second execution circuit generates a second hash value according to the input privacy intermediate value; by comparing the first hash value and the second hash value, whether the privacy intermediate value output by the first execution circuit is the same as the privacy intermediate value input into the second execution circuit is verified.
Further, the dividing method of the zk-SNARK circuit comprises the following steps:
representing the zero knowledge circuit as an R1CS structure;
selecting any source point in the R1CS structure diagram;
the edge weight is 1, and the distance between other points in the graph and the source point is calculated through breadth-first traversal;
the points are ordered from small to large according to the distance and are sequentially renamed as (v) 1 ,v 2 ,...,v n ) (n is the number of all points in the graph);
define the point set A as (v) 1 ,v 2 ,...,v i ) Then the complement of A is (v) i+1 ,v i+2 ,...,v n ) Solving to makeMinimum point set A s And surrounds the point set A s Cutting the graph into two parts; wherein σ (A) represents the number of edges connected between point set A and the complement of A, |A| represents the modulus of point set A, +|>A module representing the complement of the point set A;
and respectively adding a hash circuit to the two divided circuits, wherein the part containing the selected source point is a first executing circuit, and the other part is a second executing circuit.
In order to further achieve the object of the present invention, the present invention also provides an information verification method, which includes the steps of:
(1) Acquiring a pre-agreed certification key;
(2) Inputting information to be verified of a user and the certification key into a preset zero-knowledge certification segmentation circuit to obtain a first certification and a second certification;
(3) The first certificate and the second certificate are sent to a verification party, so that the verification party verifies the first certificate and the second certificate through a preset verification key under the condition that the verification party does not access the specific content of the information to be verified, and verification of the information to be verified is achieved;
the zero knowledge proof dividing circuit comprises a first executing circuit and a second executing circuit; the first execution circuit generates a first attestation and the second execution circuit generates a second attestation.
Further, a first proving secret key and a first verifying secret key are generated through preset encryption parameters; a second attestation key and a second verification key.
Further, the information to be verified of the user and the first proving secret key are input into a first executing circuit, and a first proving is obtained, wherein the first proving comprises a privacy intermediate value and a first hash value.
Further, the privacy intermediate value and a second proving key are input into a second executing circuit, and a second proving is obtained, wherein the second proving comprises a second hash value and a public output value.
Further, when the first hash value is equal to the second hash value, the first attestation and the second attestation are verified by the verifier.
Further, the verifier verifies the first proof by means of the first verification key; verifying the second attestation by means of a second verification key; when the first certification and the second certification pass the verification, the verification of the information to be verified of the user is realized.
Compared with the prior art, the invention has the following beneficial effects:
the invention divides the zk-SNARKs circuit, and can obviously reduce the memory occupation of the zero knowledge proof live stage after division. After the zk-SNARKs circuit is split, a hash circuit is added for the split circuit, so that the authenticity of the data is ensured, and the data to be verified is prevented from being tampered.
Drawings
FIG. 1 is a schematic diagram of a prior art zero knowledge proof circuit;
FIG. 2 is a schematic diagram of a zero knowledge proof partitioning circuit according to the present invention;
FIG. 3 is a schematic diagram of R1CS structure; in the figure, x represents a public variable, and w represents a privacy variable.
Detailed Description
In order that the invention may be readily understood, a more particular description thereof will be rendered by reference to specific embodiments that are illustrated in the appended drawings. Preferred embodiments of the present invention are shown in the drawings. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete.
Example 1 this example provides a zero knowledge proof partitioning circuit as shown in fig. 2, for a zk-snare circuit F (x, w) =true, which corresponds to a partitioning of (F 1 ,F 2 H, x, w, m, H, H'), wherein F 1 And F 2 Is a circuit after segmentation, H is a hash circuit, x, w, m, H, H' is a variable.
Specifically F 1 (x, w) = (H, m) is the first execution circuit of the circuit F after division and adding the hash circuit H, where x represents the public input variable and w representsPrivacy input variable, h represents public output variable, m represents privacy intermediate variable, which is the first execution circuit F 1 Output variable of (1), first execution circuit F 1 The newly added hash circuit guarantees h=h (m).
F 2 (m) = (o, H') is a second execution circuit with the hash circuit H added after the circuit F is divided, where m represents a privacy intermediate variable, is the second execution circuit F 2 And (h' and o) represent public output variables, a second execution circuit F 2 The newly added hash circuit guarantees H' =h (m).
To ensure the second execution circuit F 2 Input privacy intermediate variable m and first execution circuit F 1 The output privacy intermediate variable m is the same group of data, and the privacy intermediate variable m can be ensured not to be tampered by ensuring h=h'. At this time, s= (F) 1 ,F 2 ) Is a split circuit of the circuit F.
The method for dividing the circuit F comprises the following steps:
for any zero knowledge proof circuit, it is expressed as an R1CS structure, and the structure diagram is a directed acyclic graph, as shown in FIG. 3, and the graph is divided by adopting the following algorithm steps:
(1) Selecting a source point s in the graph;
(2) The edge weight is 1, and the distance between each point in the graph and the source point s is calculated by breadth-first traversal;
(3) The points are ordered from small to large according to the distance and are sequentially renamed as (v) 1 ,v 2 ,...,v n ) (n is the number of all points in the graph);
(4) Define the point set A as (v) 1 ,v 2 ,...,v i ) Then the complement of A is (v) i+1 ,v i+2 ,...,v n ) Solving to make(wherein σ (A) represents the number of edges connected between point set A and the complement of A, |A| represents the modulus of point set A, +|>Modulo representing the complement of point set a) is smallest point set a s And surrounds the point set A s Cutting the graph into two parts; />
(5) Hash circuits are added to the two divided parts respectively to form a dividing circuit. Wherein the portion including the selected source point is the first execution circuit F 1 Another part is a second execution circuit F 2 。
Embodiment 2 this embodiment provides an information verification method using the zero knowledge proof splitting circuit s= (F) 1 ,F 2 ) The specific proving process and steps are as follows:
(1) Obtaining a certification key and a verification key
Initial Setup phase Setup: setup (1) κ ,F,S)→(pk S ,vk S )。
For a zk-SNARK circuit F, the divider circuit S= (F 1 ,F 2 ) And a security parameter 1 κ . First let a trusted authority check if S is a split circuit of circuit F, then pass Setup (1 κ ,F 1 ) To generate a pair of keys (pk 1 ,vk 1 ) By Setup (1 κ ,F 2 ) To generate a pair of keys (pk 2 ,vk 2 ). Defining the certification key pk S =(pk 1 ,pk 2 ) Verification key vk S =(vk 1 ,vk 2 ). Wherein pk is 1 Vk is the first attestation key 1 Is a first authentication key; pk (pk) 2 Is a second attestation key; vk 2 Is the second authentication key.
(2) Inputting the information to be verified of the user and the certification key into a preset zero knowledge certification segmentation circuit to obtain a first certification and a second certification.
The proving stage Prove: prove (S, x, w, pk) S ) Pi. For a given split circuit s= (F 1 ,F 2 ) Public input variable x, private input variable w and certification key pk S =(pk 1 ,pk 2 ) The prover passes through the first execution circuit F 1 (x, w) = (h, m) to obtain a privacy intermediate value m and a first hash value h, giving a first attestation: pi 1 =(F 1 ,x,w,m,h,pk 1 ) The method comprises the steps of carrying out a first treatment on the surface of the Through a second execution circuit F 2 (m) = (o, h ') to obtain the public output variable o and the second hash value h', giving a second proof: pi 2 =(F 2 ,m,h,pk 2 )。
h=h (m), H '=h (m) is a public output, and by comparing H and H', if the two values are equal, the proving person does not maliciously modify the privacy intermediate value m, and the authenticity of m is ensured.
(3) Proof of verification party pair pi S =(π 1 ,π 2 ) Performing verification
Verification stage Verify: verify (x, h, pi) S ,vk S ) -0, 1. For the known public variables x, h, prove pi S Verification key vk S =(vk 1 ,vk 2 ) The verifier verifies: v 1 =Verify(x,h,π 1 ,vk 1 ) V 2 =Verify(h,π 2 ,vk 2 ) When v 1 =1 and v 2 Verification passed when=1.
So far, the verification party realizes the verification of the information to be verified under the condition that the privacy input variable w of the information to be verified of the user is not accessed.
Experiments were performed using for-loop zero-knowledge proof circuits as examples to demonstrate the practical effects of the proposed split circuits of the present invention. The circuit scale is adjusted by changing the for circulation times to 10000, 30000, 50000, 100000, 200000, 300000 respectively, and the circuit is represented by circuits 1-6, and the time and the memory occupation amount of the live stage before and after the circuit division of different scales are measured in an experiment, so that the memory occupation of the divided circuit can be obviously reduced. The specific detection results are shown in Table 1.
Table 1 zero knowledge proof of time and memory occupancy data for the move stage before and after circuit splitting
Claims (5)
1. A zero knowledge proof partitioning circuit, characterized by: the device comprises a first executing circuit and a second executing circuit which are divided by a zk-SNARK circuit; the first execution circuit is used for inputting information to be verified and a proving secret key to obtain a first proving; the second execution circuit is used for obtaining a second proof; the first certificate and the second certificate are used for verification by a verifier to realize verification of information to be verified; wherein the first attestation comprises a privacy intermediate value; the second proof comprises a public output value; the public output value is generated by a second execution circuit according to the input privacy intermediate value;
the dividing method of the zk-SNARK circuit comprises the following steps:
the zk-SNARK circuit is denoted as an R1CS structure;
selecting any source point in the R1CS structure diagram;
the edge weight is 1, and the distance between other points in the graph and the source point is calculated through breadth-first traversal;
the points are ordered from small to large according to the distance and are sequentially renamed as (v) 1 ,v 2 ,...,v n ) N is the number of all points in the graph;
define the point set A as (v) 1 ,v 2 ,...,v i ) Then the complement of A is (v) i+1 ,v i+2 ,...,v n ) Solving to makeMinimum point set A s And surrounds the point set A s Cutting the graph into two parts; wherein σ (A) represents the number of edges connected between point set A and the complement of A, |A| represents the modulus of point set A, +|>A module representing the complement of the point set A;
and respectively adding a hash circuit to the two divided circuits, wherein the part containing the selected source point is a first executing circuit, and the other part is a second executing circuit.
2. The zero knowledge proof splitting circuit of claim 1, wherein: the first execution circuit generates a privacy intermediate value according to the input information to be verified; the first hash circuit is connected with the first execution circuit and generates a first hash value according to the privacy intermediate value; a second hash circuit connected with the second execution circuit, which generates a second hash value according to the input privacy intermediate value; and comparing the first hash value with the second hash value to verify whether the privacy intermediate value output by the first execution circuit is identical to the privacy intermediate value input into the second execution circuit.
3. An information verification method based on the zero knowledge proof split circuit as claimed in claim 1, characterized in that the method comprises:
(1) Acquiring a proving secret key and a verification secret key; the attestation key comprises a first attestation key and a second attestation key; the verification key comprises a first verification key and a second verification key;
(2) Inputting information to be verified of a user and a first proving secret key into a first executing circuit to obtain a first proving, wherein the first proving comprises a privacy intermediate value and a first hash value; inputting the privacy intermediate value and a second proving secret key into a second executing circuit to obtain a second proving, wherein the second proving comprises a second hash value and a public output value;
(3) And sending the first certificate and the second certificate to a verification party, so that the verification party verifies the first certificate and the second certificate through a verification key under the condition that the verification party does not access the specific content of the information to be verified, and verification of the information to be verified is realized.
4. The information authentication method of claim 3, wherein the first certificate and the second certificate are authenticated by the authenticator when the first hash value is equal to the second hash value.
5. The information authentication method according to claim 4, wherein the authenticator authenticates the first certificate by means of a first authentication key; and verifying the second certification through the second verification secret key, and when the first certification and the second certification pass the verification, realizing the verification of the information to be verified of the user.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111281903.8A CN114006702B (en) | 2021-11-01 | 2021-11-01 | Zero knowledge proof segmentation circuit and information verification method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111281903.8A CN114006702B (en) | 2021-11-01 | 2021-11-01 | Zero knowledge proof segmentation circuit and information verification method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114006702A CN114006702A (en) | 2022-02-01 |
CN114006702B true CN114006702B (en) | 2023-05-16 |
Family
ID=79925977
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111281903.8A Active CN114006702B (en) | 2021-11-01 | 2021-11-01 | Zero knowledge proof segmentation circuit and information verification method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114006702B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117749380A (en) * | 2022-09-13 | 2024-03-22 | 中兴通讯股份有限公司 | Data processing method, computer device, and readable storage medium |
CN117034232A (en) * | 2023-10-08 | 2023-11-10 | 上海特高信息技术有限公司 | User identity security inspection method and device based on zero knowledge proof |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2021518687A (en) * | 2018-03-23 | 2021-08-02 | エヌチェーン ホールディングス リミテッドNchain Holdings Limited | Computer-implemented systems and methods for trustless zero-knowledge incidental payments |
-
2021
- 2021-11-01 CN CN202111281903.8A patent/CN114006702B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN114006702A (en) | 2022-02-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN114006702B (en) | Zero knowledge proof segmentation circuit and information verification method | |
CN103259662B (en) | A kind of new allograph based on Integer Decomposition problem and verification method | |
CN109818730B (en) | Blind signature acquisition method and device and server | |
CN113221089B (en) | Privacy protection attribute authentication system and method based on verifiable statement | |
CN114358782A (en) | Block chain transaction auditing method, device, equipment and storage medium | |
Hong et al. | Service outsourcing in F2C architecture with attribute-based anonymous access control and bounded service number | |
Lee et al. | Privacy-preserving identity management system | |
Garcia-Rodriguez et al. | Implementation and evaluation of a privacy-preserving distributed ABC scheme based on multi-signatures | |
CN115277010A (en) | Identity authentication method, system, computer device and storage medium | |
Tian et al. | Multidimensional Data Aggregation Scheme For Smart Grid with Differential Privacy. | |
Hajny et al. | Attribute‐based credentials with cryptographic collusion prevention | |
Xu et al. | DIV: Resolving the dynamic issues of zero-knowledge set membership proof in the blockchain | |
CN116527330A (en) | System login method and device, storage medium and electronic equipment | |
Kumar | Cryptanalytic performance appraisal of improved HLL, KUOCHEN, GENGVRF, FENGVRF secure signature with TKIP digital workspaces: for financial cryptography | |
Liang et al. | An efficient anonymous authentication and supervision system based on blockchain | |
Zhang et al. | Quantum designated verifier signature scheme with semi-trusted third-party | |
Yang et al. | A minimal disclosure signature authentication scheme based on consortium blockchain | |
Fan et al. | Fairness electronic payment protocol | |
Sangeetha et al. | Development of novel blockchain technology for certificate management system using cognitive image steganography techniques | |
Hu et al. | An improved efficient identity-based proxy signature in the standard model | |
Song et al. | A trusted authentication model for remote users under cloud architecture | |
Aboshosha et al. | Secure Authentication Protocol Based on Machine-metrics and RC4-EA Hashing. | |
CN117910024B (en) | Key generation method and device, electronic equipment and storage medium | |
Song | Educational Resource Sharing based on Blockchain Technology using Elliptical Curve Digital Signature Algorithm-Proof-of-Stake | |
Li et al. | Blockchain-based Traceable Selective Disclosure Credentials for Self-Sovereign Identity |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |