How to Validate a Verification?

This paper introduces \textsl{signature validation}, a primitive allowing any \underline{t}hird party $T$ (\underline{T}héodore) to verify that a \underline{v}erifier $V$ (\underline{V}adim) computationally verified a signature $s$ on a message $m$ issued by a \underline{s}igner $S$ (\underline{S}arah). A naive solution consists in sending by Sarah $x=\{m,\sigma_s\}$ where $\sigma_s$ is Sarah\u27s signature on $m$ and have Vadim confirm reception by a signature $\sigma_v$ on $x$. Unfortunately, this only attests \textsl{proper reception} by Vadim, i.e. that Vadim \textsl{could have checked} $x$ and not that Vadim \textsl{actually verified} $x$. By ``actually verifying\u27\u27 we mean providing a proof or a convincing argument that a program running on Vadim\u27s machine checked the correctness of $x$. This paper proposes several solutions for doing so, thereby providing a useful building-block in numerous commercial and legal interactions for proving informed consent

Proofless Verifiable Computation from Integer Factoring

VC schemes provide a mechanism for verifying the output of a remotely executed program. These are used to support computing paradigms wherein a computationally restricted client, the Verifier, wishes to delegate work to a more powerful but untrusted server, the Prover. The Verifier wishes to detect any incorrect results, be they accidental or malicious. The current state-of-the-art is only close-to-practical, usually because of a computationally demanding setup which must be amortised across repeat executions. We present a VC scheme for verifying the output of arithmetic circuits with a small one-time setup, KGen, independent of the size of the circuit being verified, and a insignificantly small constant program specific setup, ProbGen. To our knowledge our VC scheme is the first built from the hardness of integer factoring, a standard cryptographic assumption. Our scheme has the added novelty that the proofs are simply the raw output of the target computation, and the Prover is in effect blind to the fact they are taking part in a VC scheme at all. Compared to related work our scheme comes at the cost of a more expensive, but still efficient, verification step. Verification is always practical, and the Prover workload is unchanged from unverified outsourced computation. Although our scheme has worse asymptotic performance than the state-of-the-art it is particularly well suited for verifying one-shot programs and the output of large integer polynomial evaluation

How to Claim a Computational Feat

Consider some user buying software or hardware from a provider. The provider claims to have subjected this product to a number of tests, ensuring that the system operates nominally. How can the user check this claim without running all the tests anew? The problem is similar to checking a mathematical conjecture. Many authors report having checked a conjecture C(x)=\mbox{True} for all $x$ in some large set or interval $U$. How can mathematicians challenge this claim without performing all the expensive computations again? This article describes a non-interactive protocol in which the prover provides (a digest of) the computational trace resulting from processing $x$, for randomly chosen $x \in U$. With appropriate care, this information can be used by the verifier to determine how likely it is that the prover actually checked $C(x)$ over $U$. Unlike ``traditional\u27\u27 interactive proof and probabilistically-checkable proof systems, the protocol is not limited to restricted complexity classes, nor does it require an expensive transformation of programs being executed into circuits or ad-hoc languages. The flip side is that it is restricted to checking assertions that we dub ``\emph{refutation-precious}\u27\u27: expected to always hold true, and such that the benefit resulting from reporting a counterexample far outweighs the cost of computing $C(x)$ over all of $U$

zkPi: Proving Lean Theorems in Zero-Knowledge

Interactive theorem provers (ITPs), such as Lean and Coq, can express formal proofs for a large category of theorems, from abstract math to software correctness. Consider Alice who has a Lean proof for some public statement $T$. Alice wants to convince the world that she has such a proof, without revealing the actual proof. Perhaps the proof shows that a secret program is correct or safe, but the proof itself might leak information about the program\u27s source code. A natural way for Alice to proceed is to construct a succinct, zero-knowledge, non-interactive argument of knowledge (zkSNARK) to prove that she has a Lean proof for the statement $T$. In this work we build zkPi, the first zkSNARKfor proofs expressed in Lean, a state of the art interactive theorem prover. With zkPi, a prover can convince a verifier that a Lean theorem is true, while revealing little else. The core problem is building an efficient zkSNARKfor dependent typing. We evaluate zkPion theorems from two core Lean libraries: stdlib and mathlib. zkPisuccessfuly proves 57.9% of the theorems in stdlib, and 14.1% of the theorems in mathlib, within 4.5 minutes per theorem. A zkPiproof is sufficiently short that Fermat could have written one in the margin of his notebook to convince the world, in zero knowledge, that he proved his famous last theorem. Interactive theorem provers (ITPs) can express virtually all systems of formal reasoning. Thus, an implemented zkSNARKfor ITP theorems generalizes practical zero-knowledge\u27s interface beyond the status quo: circuit satisfiability and program execution

Побудова загальної моделі STARK–доведень для підтвердження коректності отриманих результатів

Метою даною роботи є аналiз iснуючих пiдходiв до доведень без розголошення, зокрема, STARK-доведень, та побудова загальної моделi iнтерактивного та неiнтерактивного STARK-доведення. Об’єктом дослiдження. Об’єктом дослiдження є процес захисту персональних даних при виконаннi автентифiкацiї та авторизацiї. Предметом дослiдження є STARK-протоколи та побудова загальної моделi та алгоритму STARK-протоколу. Були розглянутi рiзнi приклади застосування STARK-доведень, був побудований загальний вигляд STARK-протоколу, його алгоритм, проаналiзованi умови, коли можна створити STARK-доведення, та була оцiнений час його роботи та довжина доведення.The aim of this work is to analyze existing approaches to evidence without disclosure, in particular, STARK-evidence, and to build a general model of interactive and non-interactive STARK-proof. The object of study. The object of research is the process of personal data protection during authentication and authorization. The subject of the research is STARK-protocols and construction of the general model and algorithm of STARK-protocol. Various examples of the use of STARK proofs were considered, a general view of the STARK protocol, its algorithm, the conditions under which STARK proofs can be created were analyzed, and the time of its operation and the length of proofing were estimated