Search

US-12627505-B2 - Verifier generated common reference string for zero-knowledge proofs

US12627505B2US 12627505 B2US12627505 B2US 12627505B2US-12627505-B2

Abstract

Methods, systems, and devices for data management are described. A verifier node may generate a common reference string (CRS) using a random value. The verifier node may transmit a message including the CRS to a prover node. The prover node may execute a zero-knowledge proof (ZKP) using the CRS and transmit, to the verifier node, a commitment of an output of the ZKP. The commitment of the output may be configured to hide the output from the verifier node until the output is revealed to the verifier node. The verifier node may transmit the random value. The prover node may determine whether the CRS is generated using the random value from the verifier node and either abort the cryptographic operation or reveal the commitment. The verifier node may verify that the output is a valid ZKP if the prover node reveals the commitment.

Inventors

  • SAMUEL RANELLUCCI
  • Iftach Haitner

Assignees

  • Coinbase, Inc.

Dates

Publication Date
20260512
Application Date
20231110

Claims (20)

  1. 1 . A method for management of a cryptographic operation, comprising: generating, at a verifier node, a common reference string using a random value; transmitting, to a prover node, a message comprising the common reference string; receiving, from the prover node, one or more commitments of respective outputs of a zero-knowledge proof executed by the prover node, the one or more commitments of the respective outputs configured to hide the respective outputs from the verifier node until the respective outputs are revealed to the verifier node; transmitting, after receiving the one or more commitments, the random value that is used for generating the common reference string; receiving, from the prover node, an indication that the one or more commitments of the respective outputs are revealed; regenerating the zero-knowledge proof using the common reference string; and verifying, after receiving the indication that the one or more commitments are revealed and regenerating the zero-knowledge proof, execution of the zero-knowledge proof by the prover node.
  2. 2 . The method of claim 1 , further comprising: refraining from validating the zero-knowledge proof until the one or more commitments are revealed.
  3. 3 . The method of claim 1 , further comprising: receiving an execution request to execute the cryptographic operation, wherein the common reference string is generated and the message is transmitted in response to receiving the execution request.
  4. 4 . The method of claim 1 , wherein transmitting the message comprises: transmitting, to a plurality of multi-party computation (MPC) nodes including the prover node, a request to execute the cryptographic operation, wherein the request includes the common reference string.
  5. 5 . The method of claim 1 , wherein the cryptographic operation is a distributed signature to be executed by a plurality of MPC nodes including the prover node.
  6. 6 . The method of claim 1 , further comprising: verifying a result of execution of the cryptographic operation based at least in part on verifying execution of the zero-knowledge proof by a threshold quantity of MPC nodes including the prover node.
  7. 7 . The method of claim 1 , wherein the respective outputs comprise a second message resulting from execution of the zero-knowledge proof by the prover node.
  8. 8 . The method of claim 1 , wherein the zero-knowledge proof is a public coin zero-knowledge proof.
  9. 9 . A method for performing a cryptographic operation, comprising: receiving, from a verifier node and at a prover node, a message comprising a common reference string; executing a zero-knowledge proof using the common reference string; transmitting, to the verifier node, one or more commitments of respective outputs of the zero-knowledge proof, the one or more commitments of the respective outputs configured to hide the respective outputs from the verifier node until the respective outputs are revealed to the verifier node; receiving, after transmitting the one or more commitments and from the verifier node, a random value associated with the common reference string; determining whether the common reference string is generated using the random value received from the verifier node; and aborting the cryptographic operation or revealing the one or more commitments based at least in part on a result of the determining.
  10. 10 . The method of claim 9 , further comprising: aborting the cryptographic operation based at least part on determining that the random value results in a value other than the common reference string.
  11. 11 . The method of claim 9 , further comprising: opening the one or more commitments for the verifier node based at least in part on determining that the common reference string is generated using the random value.
  12. 12 . The method of claim 9 , wherein transmitting the one or more commitments comprises: committing a second message resulting from execution of the zero-knowledge proof.
  13. 13 . The method of claim 12 , wherein the second message is committed instead of transmitting the second message directly to the verifier node.
  14. 14 . The method of claim 9 , wherein the prover node is multi-party computation (MPC) node and the cryptographic operation is a distributed signature to be executed by a plurality of MPC nodes including the prover node.
  15. 15 . The method of claim 14 , wherein the distributed signature comprises a threshold quantity of partial signatures by the plurality of MPC nodes.
  16. 16 . The method of claim 9 , wherein executing the zero-knowledge proof comprises: executing a partial signature using a key share associated with the prover node.
  17. 17 . The method of claim 9 , wherein the zero-knowledge proof is a public coin zero-knowledge proof.
  18. 18 . An apparatus for management of a cryptographic operation, comprising: one or more memories storing processor-executable code; and one or more processors coupled with the one or more memories and individually or collectively operable to execute the code to cause the apparatus to: generate, at a verifier node, a common reference string using a random value; transmit, to a prover node, a message comprising the common reference string; receive, from the prover node, one or more commitments of respective outputs of a zero-knowledge proof executed by the prover node, the one or more commitments of the respective outputs configured to hide the respective outputs from the verifier node until the respective outputs are revealed to the verifier node; transmit, after receiving the one or more commitments, the random value that is used for generating the common reference string; receive, from the prover node, an indication that the one or more commitments of the respective outputs are revealed; regenerate the zero-knowledge proof using the common reference string; and verify, after receiving the indication that the one or more commitments are revealed and regenerating the zero-knowledge proof, execution of the zero-knowledge proof by the prover node.
  19. 19 . The apparatus of claim 18 , wherein the one or more processors are individually or collectively further operable to execute the code to cause the apparatus to: refrain from validating the zero-knowledge proof until the one or more commitments are revealed.
  20. 20 . The apparatus of claim 18 , wherein the one or more processors are individually or collectively further operable to execute the code to cause the apparatus to: receive an execution request to execute the cryptographic operation, wherein the common reference string is generated and the message is transmitted in response to receiving the execution request.

Description

FIELD OF TECHNOLOGY The present disclosure relates generally to data management, including techniques for verifier generated common reference string (CRS) for public coin zero-knowledge proofs. BACKGROUND Blockchains and related technologies may be employed to support recordation of ownership of digital assets, such as cryptocurrencies, fungible tokens, non-fungible tokens (NFTs), and the like. Generally, peer-to-peer networks support transaction validation and recordation of transfer of such digital assets on blockchains. Various types of consensus mechanisms may be implemented by the peer-to-peer networks to confirm transactions and to add blocks of transactions to the blockchain networks. Example consensus mechanisms include the proof-of-work consensus mechanism implemented by the Bitcoin network and the proof-of-stake mechanism implemented by the Ethereum network. Some nodes of a blockchain network may be associated with a digital asset exchange, which may be accessed by users to trade digital assets or trade a fiat currency for a digital asset. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 illustrates an example of a computing environment that supports verifier generated common reference string (CRS) for zero-knowledge proofs in accordance with aspects of the present disclosure. FIG. 2 shows an example of a computing environment that supports verifier generated CRS for zero-knowledge proofs in accordance with aspects of the present disclosure. FIGS. 3 and 4 shows an example of a process flow that supports verifier generated CRS for zero-knowledge proofs in accordance with aspects of the present disclosure. FIG. 5 shows a block diagram of an apparatus that supports verifier generated CRS for zero-knowledge proofs in accordance with aspects of the present disclosure. FIG. 6 shows a block diagram of a verifier node that supports verifier generated CRS for zero-knowledge proofs in accordance with aspects of the present disclosure. FIG. 7 shows a diagram of a system including a device that supports verifier generated CRS for public coin zero-knowledge proofs in accordance with aspects of the present disclosure. FIG. 8 shows a block diagram of an apparatus that supports verifier generated CRS for zero-knowledge proofs in accordance with aspects of the present disclosure. FIG. 9 shows a block diagram of a prover node that supports verifier generated CRS for zero-knowledge proofs in accordance with aspects of the present disclosure. FIG. 10 shows a diagram of a system including a device that supports verifier generated CRS for zero-knowledge proofs in accordance with aspects of the present disclosure. FIGS. 11 through 14 show flowcharts illustrating methods that support verifier generated CRS for zero-knowledge proofs in accordance with aspects of the present disclosure. DETAILED DESCRIPTION Zero-knowledge proofs (e.g., zk-proofs) are cryptographic methods that may be used in a variety of applications, and zero-knowledge proofs may be used by a party (e.g., a prover) to prove to another party (e.g., the verifier) that a given statement is true without revealing additional information. Example applications include authentication systems and blockchain networks. For example, in the case of blockchain networks, zero-knowledge proofs may be used to verify contents of transactions without revealing the transaction data. Zero-knowledge proofs may also be used in multi-party computations (MPCs) to support secure computation (e.g., signatures) without revealing the inputs to each node. For example, a threshold signature scheme (TSS) may utilize a zero-knowledge proof to execute or validate an operation. In such cases, a secret may be split into multiple (e.g., two or more) parts and distributed to multiple nodes. A threshold quantity of nodes may use the secret value to execute an operation. For example, the threshold quantity of nodes, which may be less than a total quantity of nodes having the parts, may be required to execute the operation. The threshold quantity of nodes may execute the operation without revealing the secret. In the example of a cryptographic operation, such as a cryptographic signature or a cryptographic transaction, a cryptographic key share (e.g., a key share of a private key) may be distributed to multiple MPC nodes, where a threshold quantity of MPC nodes may execute the cryptographic operation using the respective key shares. In some cases, a key management system may distribute the cryptographic key to the MPC nodes using MPC operations. In order to verify an operation, such as the cryptographic operation, a verifier node and a prover node (e.g., one or more of the MPC nodes) may execute a zero-knowledge proof. The zero-knowledge proof may enable the verifier node to confirm the operation as correct while not revealing the secret (e.g., the cryptographic key or key share). That is, the verifier node may confirm the operation without revealing the secret used by the threshold quantity of nodes to