KR102268548B1 - Simulation-extractable succinct non-interactive arguments of knowledge method and apparatus - Google Patents

Abstract

The present invention discloses a method and apparatus for non-reciprocal zero-knowledge proof. According to the present invention, it includes a processor and a memory connected to the processor, wherein the memory generates a proof by adding a hash function with A and B as inputs to C among group elements (A, B, C) for proof To do so, a non-reciprocal zero-knowledge proof apparatus for storing program instructions executable by the processor is provided.

Description

Proof-transformation prevention non-reciprocal zero-knowledge proof method and apparatus {Simulation-extractable succinct non-interactive arguments of knowledge method and apparatus}

The present invention relates to a method and apparatus for proof-transformation-resistant non-reciprocal zero-knowledge proof.

Recently, in blockchain systems that guarantee privacy or cloud systems that delegate computation, concise non-reciprocal zero-knowledge proofs (hereafter zk-SNARK: zero-knowledge Succinct Non-interactive ARguments of Knowledge) to prove legitimate operations while protecting privacy. ) as an essential design tool.

Concise, non-reciprocal zero-knowledge proof using the pairing operation of an elliptic curve group is a technique that allows a prover to prove knowledge possession in a concise way without disclosing the information he or she knows. It is encryption technology.

In the case of proof deformation prevention non-reciprocal zero-knowledge proof (SE-SNARK: simulation-extractable succinct non-interactive arguments of knowledge) in recent studies, even the most recent research is based on a square arithmetic circuit (SAP: Square Arithmetic Program) is designed with

[PGHR13] Parno, Bryan, et al. "Pinocchio: Nearly practical verifiable computation." 2013 IEEE Symposium on Security and Privacy. IEEE, 2013. proposed zk-SNARK in which the size of the proof is fixed as a constant regardless of the size of the arithmetic circuit for the first time using elliptic curve pairing and QAP (Quadratic Arithmetic Program). In this study, no matter how many arithmetic circuits are increased, the size of the proof required for verification is fixed with 8 elements of the elliptic curve group, and the verification operation is the same with 5 elements.

[Gro16] Groth, Jens. "On the size of pairing-based non-interactive arguments." Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, Berlin, Heidelberg, 2016. is the latest design with the most efficient results among zk-SNARKs. Compared to previous studies, this design focused on optimizing the proof size and pairing operation required for validation of zk-SNARK. As a result, regardless of the size of the arithmetic circuit, the size of the proof is fixed to three elements and the verification operation is fixed to a single operation.

However, in the case of zk-SNARK, if there is a proof that has already been created, there is a problem that the middleman can transform it and create another type of proof without the information known by the prover.

[GM17] Groth, Jens, and Mary Maller. "Snarky signatures: Minimal signatures of knowledge from simulation-extractable snarks." Annual International Cryptology Conference. Springer and Cham, 2017. proposed a new definition of SE-SNARK and an optimized design for it. In this design, compared to the existing [Gro16], the proof size was still maintained at 3 elements, but the verification operation was increased to two for additional verification to prevent deformation. Also, the existing [Gro16] used the same QAP as [PGHR13] for the underlying arithmetic circuit, but [GM17] used SAP instead of QAP to prevent deformation. Since SAP is an arithmetic circuit in the form of a square and the size of the arithmetic circuit is doubled than that of QAP, the key size and proof time are doubled.

In order to solve the problems of the prior art, the present invention intends to propose a method and apparatus for preventing non-reciprocal zero-knowledge proof from tampering that can confirm a proof by a single verification and can also reduce the key size and proof time.

In order to achieve the above object, according to an embodiment of the present invention, there is provided a non-reciprocal zero-knowledge proof apparatus, comprising: a processor; and a memory coupled to the processor, wherein the memory is configured by the processor to generate a proof by adding a hash function with A and B as inputs to C among the group elements (A, B, C) for proof. A non-reciprocal zero-knowledge proof device for storing executable program instructions is provided.

In the setting process, the program instructions return a common reference string and a simulation trap door by inputting the relation R as input, and in the proof process, input the common reference string, the instance belonging to the relation R and the wisdom based on the secondary arithmetic circuit to return the proof, and during the verification process, the common reference string, the instance, and the proof may be input to return the verification result.

The C may be modified to ^{C * as follows.}

및

와

는 해시함수임here,

and

Wow

is a hash function

The group elements may have a bilinear map.

According to another aspect of the present invention, there is provided a non-reciprocal zero-knowledge proof method, comprising: returning a common reference string and a simulation trapdoor with a relation R as an input; Returning a proof by inputting the common reference string, the instance belonging to the relation R, and the Witness based on the quadratic arithmetic circuit as inputs - The proof includes A and B in C among the group elements (A, B, C) for proof Added hash function as input-; and returning a verification result using the common reference string, the instance, and the proof as inputs.

According to the present invention, single verification is possible using a secondary arithmetic circuit in an asymmetric group, and there is an advantage in that the proof time can be shortened.

In addition, according to the present invention, there is an advantage in that a single verification equation and two elements for proof in a symmetric group can be simplified.

1 is a diagram illustrating the configuration of a non-reciprocal zero-knowledge proof apparatus according to an embodiment of the present invention.

Since the present invention can have various changes and can have various embodiments, specific embodiments are illustrated in the drawings and described in detail.

However, this is not intended to limit the present invention to specific embodiments, and it should be understood to include all modifications, equivalents and substitutes included in the spirit and scope of the present invention.

1 is a diagram illustrating the configuration of a non-reciprocal zero-knowledge proof apparatus according to an embodiment of the present invention.

As shown in FIG. 1 , the non-reciprocal zero-knowledge proof apparatus according to the present embodiment may include a processor 100 and a memory 102 .

Memory 102 may include a non-volatile storage device such as a fixed hard drive or a removable storage device. The removable storage device may include a compact flash unit, a USB memory stick, and the like. Memory 102 may also include volatile memory, such as various random access memories.

The memory 102 stores program instructions executable by the processor 100 .

The program instructions according to the present embodiment generate a proof by adding a hash function inputting A and B to C among the group elements (A, B, C) for proof.

Since this embodiment provides connectivity using a hash function between group elements for proof, deformation can be prevented and proof can be verified with a single verification.

In addition, the program instructions according to the present embodiment return a common reference string and a simulation trapdoor by inputting the relation R as an input in the setting process, and in the proof process, based on the secondary arithmetic circuit, the common reference string and the relation R A proof is returned by inputting the instance and wisdom to which it belongs, and in the verification process, a verification result is returned by inputting the common reference string, the instance, and the proof as inputs.

The present invention proposes a quadratic arithmetic circuit (QAP) based simulation-extractable-SNARK (SE-SNARK) with a single verification equation in an asymmetric group (type III pairing).

이 주어지며, 본 실시예에 따른 증명은 소스 그룹으로부터 단지

에서 2개,

에서 하나인 세 개의 그룹 원소를 구성한다. Three groups with a bilinear map

given that the proof according to this embodiment is only from the source group

2 from

constitutes three group elements that are one in .

According to this embodiment, the proof is verified with a single verification equation in SE-SNARK. More specifically, by using a hash function to combine unique proof tuples (tuple, A, B, C), additional expressions for malleability checks are eliminated.

Table 1 compares the overall size and performance of the QAP-based SE-SNARK with the existing zero-knowledge proofs, zk-SNARK [Gro16] and SE-SNARK [GM17].

zk-
SNARK [Gro16] SE-
SNARK [GM17] Our SE-SNARK circuit base QAP SAP QAP CRS (common reference string) size

Proof size

Prover computation

Verifier computation

Verify equation One 2 One

Table 1 is a comparison of arithmetic circuit satisfaction with l (element instance), m (wires), and n (multiplication gates).

Since SE-SNARK uses a squared gate, 2n squared gates and 2m wires are considered instead of n multiply gates and m wires.

는 그룹 원소, E는 거듭제곱, P는 페어링을 의미한다. in table 1

is a group element, E is a power, and P is a pairing.

Hereinafter, basic notations and relationships will be described.

로 표기한다. 함수

는

일때

로 표기한다security parameters

marked with function

is

when

marked with

이면 함수 f를 무시할 수 있고

이면 압도적이라고 정의한다.

Then the function f can be ignored and

This is defined as overwhelming.

It implicitly assumes that all participants and attackers know the security parameters.

는 S에서 임의로 x를 선택하는 과정을 나타낸다.If S is a set

represents the process of randomly selecting x from S.

가 확률론적 알고리즘인 경우,

는 어떤 적절한 입력에서

를 실행하고 출력 x를 반환하는 과정을 나타낸다.

If is a probabilistic algorithm,

is from any appropriate input

It shows the process of executing and returning the output x.

의 경우,

는 랜덤 코인을 포함하여

의 모든 입력과 출력을 포함하는 목록으로 정의한다. algorithm

In the case of,

including random coins

It is defined as a list containing all inputs and outputs of

에는 게임의 출력이 되는 주요 절차가 있다. In this embodiment, a game is used to define and prove security. game

There is a main procedure that becomes the output of the game.

표기법은 출력이 1일 확률을 나타낸다

The notation represents the probability that the output is 1.

가 주어지면, 관계 생성기

은 다항 시간 소멸 관계

를 반환한다.

에 대해

는 관계 내에 있는 인스턴스

에 대한 위트니스이다. security parameters

Given , the relationship generator

is a polynomial time extinction relation

returns

About

is an instance within the relationship

Witness for.

가 출력할 수 있는 가능한 관계의 집합을

로 표기한다.

The set of possible relationships that can be output by

marked with

Hereinafter, a concise non-reciprocal zero-knowledge proof will be described in detail.

에 대한 간결한 비상호적 영지식 증명은 알고리즘 Arg = (Setup, Prove, Vfy, SimProve)의 네 부분으로 이루어지며 다음과 같이 수행된다.

The concise, non-reciprocal zero-knowledge proof for A is composed of four parts of the algorithm Arg = (Setup, Prove, Vfy, SimProve) and is performed as follows.

: 설정 알고리즘은 관계

를 입력으로 취하는 PPT(Populous) 알고리즘이고, crs(common reference string: 공통참조문자열)와 시뮬레이션 트랩도어(simulation trapdoor)

를 반환한다.

: Setting Algorithm Relation

It is a PPT (Populous) algorithm that takes as input, crs (common reference string) and simulation trapdoor.

returns

: 증명자 알고리즘은 관계

및

에 대해 crs를 입력으로 하는 PPT 알고리즘이고, 증명

를 반환한다.

: The prover algorithm is a relation

and

It is a PPT algorithm with crs as input for

returns

: 검증자 알고리즘은 결정론적 crs, 인스턴스

및 증명

를 입력으로 하는 결정론적 다항 시간 알고리즘(deterministic polynomial time algorithm)이고, 0(reject) 또는 1(accept)를 반환한다.

: The validator algorithm is deterministic crs, instance

and proof

It is a deterministic polynomial time algorithm that takes as input and returns 0 (reject) or 1 (accept).

: 시뮬레이터는 crs,

및 인스턴스

를 입력으로 하는 PPT 알고리즘이고 증명

를 반환한다.

: Simulator is crs,

and instances

PPT algorithm as input and proof

returns

Such a concise, non-reciprocal zero-knowledge proof satisfies completeness, knowledge soundness, zero-knowledge and conciseness.

In the SE-SNARK according to the present embodiment, a hash function is used in the random oracle model. Accordingly, the following forking lemma version is used.

Lemma 1. (General forking lemma).

의 집합

를 고정한다. Integer Q and size

set of

to fix

는 입력

를 페어링으로 반환하는 랜덤 프로그램이라 할 때, 이의 첫번째 원소는

범위를 갖는 정수이고 두번째 원소는 측면 출력(side output)으로 참조된다.

is input

A random program that returns as pairing, its first element is

It is an integer with a range and the second element is referred to as the side output.

는 입력 생성기라고 하는 랜덤한 알고리즘이다.

is a random algorithm called an input generator.

의 수용 확률(accepting probability)은 acc로 표기하며 본 실시예에서

의 확률로 정의되고,

;

;

이다.

The accepting probability of is denoted by acc, and in this embodiment

is defined as the probability of

;

;

to be.

와 연관되는

는 다음과 같이 입력 y에서 진행하는 랜덤 알고리즘이다. forking algorithm

associated with

is a random algorithm proceeding on input y as follows.

Bilinear Groups and Assumptions

Hereinafter, basic bilinear groups and esoteric assumptions required for SE-SNARK adopted in [GM17] are presented.

Definition 3

는 단항으로 보안 파라미터를 입력으로 취하고 기본 순서(prime order) p의 순환 그룹

를 구성하는 쌍선형 그룹

을 보조 정보 aux와 함께 반환한다. Bilinear group generator

is unary, taking security parameters as input and a cyclic group of primary order p

bilinear groups that make up

is returned along with the auxiliary information aux.

Efficient algorithms exist for group task computation, evaluation of bilinear maps, determination of group membership, and generators of sampling of groups.

및

에 대해, 그리고 모든

에 대해 쌍선형이고, 다음과 같은 식을 얻는다. map is all

and

about, and all

is bilinear with respect to , and we get the following equation:

이면

또는

이다. And the map is non-degenerate, if

back side

or

to be.

In general, a bilinear group consists of paired elliptical curves, which can be transformed to yield a non-bilinear map.

인 대칭 쌍선형 그룹과

인 비대칭 쌍선형 그룹으로 쌍선형 그룹을 설정하는 많은 방법이 있다.

symmetric bilinear group and

There are many ways to set up a bilinear group as an asymmetric bilinear group.

과

사이의 어느 방향으로든 효율적으로 계산할 수 있는 할 수 있는 non-trivial homomorphism이 없는 비대칭 그룹(타입 III)에 대해 살펴볼 것이다. In this embodiment

and

We will look at an asymmetric group (type III) without a capable non-trivial homomorphism that can be computed efficiently in either direction between them.

Intractability Assumptions

We describe the esoteric assumptions we use for pairing-based SE-SNARK security verification of elliptic curve groups.

The power knowledge of exponent (PKE) assumption of the symmetric group is used in the SNARK system, but the generalized PKE assumption of the asymmetric group called extended PKE (eX-tended PKE: XPKE) has been recently proposed and utilized.

In this embodiment, the XPKE assumption is adopted and used in both the symmetric group and the asymmetric group.

In this embodiment, consider an attacker with access to source group elements with a discrete logarithm that is a polynomial evaluated over a secret random variable.

This assumption is said to be the only way an attacker can create group elements from two source groups for asymmetric group or type III-matched discrete log pairing.

인

및

는 b가 다항식의 알려진 선형 조합의 평가라는 것을 알고 있는 경우이다.

sign

and

is the case when we know that b is the evaluation of a known linear combination of polynomials.

Similar to the symmetric group assumption, an attacker can create group elements of different generators from the same source group matching the discrete logarithm.

인

에 대해 b가 다항식의 알려진 선형 조합의 평가라는 것을 알고 있는 경우이다. that is, unknown

sign

, if we know that b is the evaluation of a known linear combination of polynomials.

로 대칭(symmetric) XPKE 가정은

로 표기한다. The asymmetric XPKE assumption is

The symmetric XPKE assumption is

marked with

Assumption 1.

는 공격자(adversary),

를 추출자라 한다.

is the attacker,

is called an extractor.

에서, 이득

는 다음과 같이 정의하고,

는 다항식

의 집합이다. asymmetric group

from the gain

is defined as:

is a polynomial

is a set of

에서, 이득

는 다음과 같이 정의되고,

는

의 집합이다. Symmetry group

from the gain

is defined as,

is

is a set of

에 대해

와

가정들은

에 상대적으로 유지되고,

및

가

에서는 무시할 수 있는 PPT 알고리즘

가 존재한다. All PPT attackers

About

Wow

the families

is maintained relative to

and

end

PPT algorithm that is negligible in

exists

에 대해,

가 주어지면, 공격자는 비록

인

를 알고 있다고 하더라도 선형적으로 독립되는

다항식 g에 대한

를 계산할 수 없다. In the univariate case, the polynomial assumption is

About,

Given that, the attacker

sign

is linearly independent even if we know

for polynomial g

cannot be calculated

) 및 대칭 그룹(

)에서 2개의 다항식 가정을 채택한다. In this embodiment, the asymmetric group (

) and the symmetric group (

) adopts two polynomial assumptions.

Assumption 2.

는 공격자(adversary)이라 하고, 다음과 같이 정의된

에서, 이득

을 정의하며,

는 다항식

집합이다.

is called an adversary, and is defined as

from the gain

define,

is a polynomial

is a set

에서, 이득

을 정의하고,

은 다항식 X

의 집합이다. defined as

from the gain

define,

is the polynomial X

is a set of

에 대해

와

가정들은

에 상대적으로 유지되고,

및

가

에서는 무시할 수 있는 PPT 알고리즘

가 존재한다. All PPT attackers

About

Wow

the families

is maintained relative to

and

end

PPT algorithm that is negligible in

exists

QAP-based SE-SNARK Scheme

The following describes how the standard zk-SNARK can be modified.

가 세 개의 그룹원소라는

를 가정한다. In the proof that satisfies Groth's zk-SNARK verification equation in [Gro16],

is the three group elements

assume

에서 알려진 다항식

및 몇가지 비밀

에 대해 다음과 같이 정의된다.

polynomials known from

and some secrets

is defined as follows.

There are two methods for generally randomizing proofs A, B, and C that satisfy Equation (1).

An attacker can set one of the following two:

In this embodiment, we propose a method of neutralizing two attacks using hashes of A and B in C.

A verification equation is required to detect changes in A and B.

It shall be possible to extract the exponent values a and b from the modified proof if A or B changes.

Therefore, this embodiment includes two hash functions to which a and b are added. As a result, C is modified as follows.

및

와

는 해시함수이다. here,

and

Wow

is a hash function.

에 따르면, 다음과 같이 검증은 A 및 B에 적절한 항을 추가함에 의해 수정된다. Modified

According to , the verification is modified by adding the appropriate terms to A and B as follows:

라 한다.

say

가

로 변경되면

는

로 수정되어야 한다. if

end

when changed to

is

should be modified to

및

는 위트니스가 알려진 경우에만 계산 가능하기 때문에 공격자는 증명을 위조할 수 없다. But,

and

An attacker cannot falsify the proof, since it is computable only if the Witness is known.

및

가 변하게 된다. 따라서

및

는

및

에 따라 유효한

계산을 위해 알려져야만 한다. If A and B change, the hash result

and

will change therefore

and

is

and

valid according to

must be known for calculation.

Quadratic Arithmetic Programs

에서, QAP를 채택하고, 이는 다음과 같다. Relationships in SE-SNARK

, adopts QAP, which is as follows.

은 제한된 필드

를 정의하고, 다항식

은 다음의 정의를 갖는 QAP에서 각각 선형적으로 독립된 다항식 집합을 나타낸다.bilinear group

is a restricted field

define the polynomial

denotes a set of linearly independent polynomials in QAP with the following definition.

는 엄격하게 n보다 작고, 여기서 n은

의 차수이다. here,

is strictly less than n, where n is

is the order of

를 1로 정의하면 다음의 정의로 관계 R을 설명한다.

If is defined as 1, the relation R is explained by the following definition.

보다 큰 필드 사이즈를 갖는 관계 R이 주어지면

은 QAP에서 관계 생성기라 정의한다.

Given a relationship R with a larger field size,

is defined as a relationship generator in QAP.

Construction

: 생성기

, 해시함수

및 파라미터

,

와 다음의 집합을 선택한다.

: Generator

, hash function

and parameters

,

and select the following set.

:

로 설정하고,

로서

및

로서

를 분석한다.

:

set to,

as

and

as

Analyze

를 계산하기 위해 위트니스를 사용하고,

를 선택하고,

를 계산한다. from QAP

Using Witness to calculate ,

select ,

to calculate

:

로서

및

로서

를 분석한다.

:

as

and

as

Analyze

로 설정하고 증명을 수락한다. Only if the following equation is satisfied

set to and accept the proof.

:

를 선택하고

를 계산한다.

:

select

to calculate

In the above, a quadratic arithmetic circuit (QAP)-based simulation-extractable-SNARK (SE-SNARK) with a single verification equation in the asymmetric group (type III pairing) has been described.

In the case of proof by adding a hash function inputting A and B to the proof element C as in this embodiment, a square arithmetic circuit with a single verification equation and two elements for proof in a symmetric group (type I pairing) (SAP) based simulation-extractable-SNARK (SE-SNARK) may be provided.

The above-described embodiments of the present invention have been disclosed for the purpose of illustration, and various modifications, changes, and additions will be possible within the spirit and scope of the present invention by those skilled in the art having ordinary knowledge of the present invention, and such modifications, changes and additions should be regarded as belonging to the following claims.

Claims (5)

A non-reciprocal zero-knowledge proof device, comprising:
processor; and
a memory coupled to the processor;
The memory is
To generate a proof by adding a hash function with A and B as inputs to C among the group elements (A, B, C) for proof,
store program instructions executable by the processor;
The program instructions are
In the setting process, a common reference string and a simulation trapdoor are returned with the relation R as input,
In the proof process, based on the secondary arithmetic circuit, the proof is returned by inputting the common reference string, the instance belonging to the relation R, and the Witness,
A non-reciprocal zero-knowledge proof device that returns a verification result by inputting the common reference string, the instance, and the proof in a verification process. delete According to claim 1,
The above C is a non-reciprocal zero-knowledge proof device modified to ^{C * as follows.}

here,

and

Wow

is a hash function According to claim 1,
The non-reciprocal zero-knowledge proof apparatus in which the group elements have a bilinear map. A non-reciprocal zero-knowledge proof method comprising:
returning a common reference string and a simulation trapdoor with the relation R as an input;
Returning a proof by inputting the common reference string, the instance belonging to the relation R, and the Witness based on the quadratic arithmetic circuit as inputs - The proof is A and B in C among the group elements (A, B, C) for proof Added hash function as input-; and
and returning a verification result using the common reference string, the instance, and the proof as inputs.

Images