| | 1 | = zero-knowledge proofs/arguments of knowledge: reading list = |
| | 2 | |
| | 3 | This page collects useful papers, articles, and links about |
| | 4 | multi-party computation and zero-knowledge proofs. |
| | 5 | |
| | 6 | == SNARKs == |
| | 7 | |
| | 8 | [http://tau.ac.il/~tromer/papers/csnark-20131007.pdf SNARKs for C: |
| | 9 | Verifying Program Executions Succinctly and in Zero Knowledge]: |
| | 10 | (Ben-Sasson, Chiesa, Genkin, Tromer, Virza). This defines the |
| | 11 | zk-SNARK (zero-knowledge Succinct Non-interactive ARgument of |
| | 12 | Knowledge) scheme used by Zerocash. |
| | 13 | |
| | 14 | This paper collects a number of previous clever ideas, adds some |
| | 15 | new ones, and finds ways to optimize the combination enough to make |
| | 16 | everything useful. The resulting system does the following: |
| | 17 | |
| | 18 | * compiles an arbitrary C program into a simple virtual machine |
| | 19 | named "TinyRAM" |
| | 20 | * performs a one-time key-generation phase that takes the program |
| | 21 | and limits on runtime and input size, and produces two keys: the |
| | 22 | "proving key" and the "verification key". The proving key is very |
| | 23 | big, while the verification key is pretty small. |
| | 24 | * for each run of the program (given some primary input): |
| | 25 | * the Prover runs the TinyRAM program in a special way that |
| | 26 | gathers information about its execution (order of execution, |
| | 27 | changes to memory values). It also gets "auxilliary input", |
| | 28 | which is not revealed to the verifier, and represents |
| | 29 | nondeterminism (somehow). |
| | 30 | * the Prover combines this information with the proving key to |
| | 31 | create the proof. These proofs are very small. |
| | 32 | * later, the Verifier can combine the proof, the primary input, |
| | 33 | and the verification key, and compute a single "accept/reject" |
| | 34 | value. Verifying a proof is much much faster than creating one. |
| | 35 | |
| | 36 | One example they use is a proof of a good solution for the |
| | 37 | "rectilinear Traveling Salesman Problem", whose input is the node |
| | 38 | locations (x,y), the starting point (x,y), and a distance bound. |
| | 39 | You can solve this problem by measuring the Manhattan distance for |
| | 40 | all possible routes (permutations of the non-starting-point nodes) |
| | 41 | and finding at least one whose total distance is lower than the |
| | 42 | bound. Their example uses such a solution as the "auxilliary |
| | 43 | input", and a TinyRAM program which sums the distances and compares |
| | 44 | it against the bound. The verifier learns that the program really |
| | 45 | does run and emits "yes", without learning what the route is. |
| | 46 | |
| | 47 | For a 200-node graph, their TinyRAM program had 1105 instructions |
| | 48 | and needed 11001 steps to complete. It took 247 minutes to create |
| | 49 | the proving and verification keys. The proving key was about 12GB |
| | 50 | (using an 80-bit security level), and the verification key was 620 |
| | 51 | bytes. It then took 155 minutes to create one instance of the |
| | 52 | proof, and the proof itself was 322 bytes. Verifying the proof took |
| | 53 | 0.11 seconds. |
| | 54 | |
