Lecture 14 : ZK Proofs onSecret - shared Data

MIT - G- 893

fall 2020

Henry Corrigan -Gibbs

Plan

* Recap : SNDRGS* App : Private Aggregation

Logistics* Zk Proof on Secret- shared Data

AHHH due Friday 5pm→ Def 're * OH, Today 3- 4:30pm

* Breakout rooms * guest lecture next

Wednesday .

* stretch Break

* Construction of 2-K Pfon Secret-shared Data

Recap : SNARG

←setup

ProveCsx) Verifier (C )0 it

s O1- ta n

* Prover convinces verifier that C is SAT( '- Ssi assignment starts with

-

" )* Ver:S. runs in time less than required to evaluate C* Proof is short ? Length depends only on see param.* Get 2- K

"

for free "

Encryptionof

Lpc sethpggpt.snKeyC

O Enorptionangfwe.PH 0 Checks

th- + → answers

p a

Private Aggregation . . . . -Ghani 88 .. - - - I

- Large # of clients holding values

×I,. . . .

, XnE t

- Server wants to learn .d Xi Etf→"

Degenerate " MPC in which ckt has onlyaddition gates - no Mnl gates .

Simple Protocolt

clients Servers0 [XIAt > D serve A

i. f si. ?icx :3.'

, GIB' §+SB= Xi

In 9 so. n.EC'D.> 1) Seba B

Simple Protocol

1.

CorrectnessAll parties honest ⇒ Get correct answer

2. Privacy

31 server honest ⇒ Protocol " leaks nothingmore then fix ..

"

[If you

don't care about efficiencyor clients going offline , every clientcan act as a server.

3.Concrete efficiency- One msg from client to each server- One msg from serves to each other

Applications [Annoying in practice'

.se?.ejdaemyTelemetry

*§ O is not used Priv mod

I 0-W

-

t good& I I 11

⇒ is Dn n Mozilla

Firefox users O

O

•How many Ff

swarms. .. ..,i÷÷÷÷÷÷

qt(I- pl by folks at Bu

D B FBD"B oo ¥111

" o Civil Society orgD D o

Hou much do m vs.

V

Boston employers gfctrosspaidppy.EE/pIF@

ApplicationsFederated leaning apptis pi n

j o

'DO

Google

Phones

( avg gradient)

Pnb Health Statistics

O O

is is°

I

is is i÷÷÷k¥¥m.Phones

today ?

probhemulsimpbeprot.co/-No limits on range of client inputs .

Sum is computed E F ( i.e.mod p)

Server A

OEb

> DL EhsFf User

Server B

Should be : at Be {0,13'①

Evil user

can set : G)at B- anything c- t

arbitrary influence on output.

↳Output is cxi) +A f- sad:#hour

Really , we want to compute i.x.

- for x. c-0,13.

Fix using Zk

Server A

- DX Io Kb )

v

I qepttg.at^ Ths Server B

- DO

GTBO

÷¥¥¥÷:*:*

÷.⇒*.- Complete : Honest p (client)convinces honest Vs Gerry)

- Soundness : Dishonest P rarelyconvinces honest V

- 2- K : Servers learn nothing about x, except the XE B

↳ Each server can simulate its view . . .

→ Zk proof on secret - shared dataMultiple verifiers, each holds a share of data

.

Food

Constructing Zk on Secret -Shared Data

④a

> DProve Irs

- Iacelrcj

1- in Cx) . 9N B

> DVerifies

Kiera. Use linear Pops.

xe {0,4Gt ⇐ xcx - 1) so c- tKkk Nx - D)

I. Prover produces linear PCP itestmatestiyto fact that x satisfies C .

2.

Prom splits it into shares,sends

one shore to each verifier .

3. Verifies jointly make linear queriesto secret- shared input & proof.↳ Run LPCP wig only on answers

(9; .. - , as) ← (PCP. Quest )

CX), It's

a. I]

IT← LPCP. Proulx )

Ots'The 'T c- Fm Ca]. -4,43111T.

'

1- An :

:

i. SharedEft i randomness

[a]p=G , paths ) /a Ths

ar f]19, ,

. . .

,9,) ← LPCP

. Query ()

[a]. - firs -

- 29,1×3,111%3+5911 HID= (9

,

× HIT> as we need.

As before , completeness , soundness,2-k follow

almost immediately from properties of LPCP

EfficiencyP - V : 044 ) ft elms for clot of

size Kl

✓→ V : 011) IF elms. . .

one perlinen PCP

query.

Better Efficiency ?* Might like to reduce PSV communication

.

* Can do if det C has nice structureC - g. many repeated sub clots

[In some cases, requires interaction

.