245 research outputs found

    On Prover-Efficient Public-Coin Emulation of Interactive Proofs

    Get PDF

    Classical Cryptographic Protocols in a Quantum World

    Get PDF
    Cryptographic protocols, such as protocols for secure function evaluation (SFE), have played a crucial role in the development of modern cryptography. The extensive theory of these protocols, however, deals almost exclusively with classical attackers. If we accept that quantum information processing is the most realistic model of physically feasible computation, then we must ask: what classical protocols remain secure against quantum attackers? Our main contribution is showing the existence of classical two-party protocols for the secure evaluation of any polynomial-time function under reasonable computational assumptions (for example, it suffices that the learning with errors problem be hard for quantum polynomial time). Our result shows that the basic two-party feasibility picture from classical cryptography remains unchanged in a quantum world.Comment: Full version of an old paper in Crypto'11. Invited to IJQI. This is authors' copy with different formattin

    On Interactive Proofs of Proximity with Proof-Oblivious Queries

    Get PDF
    Interactive proofs of proximity (IPPs) offer ultra-fast approximate verification of assertions regarding their input, where ultra-fast means that only a small portion of the input is read and approximate verification is analogous to the notion of approximate decision that underlies property testing. Specifically, in an IPP, the prover can make the verifier accept each input in the property, but cannot fool the verifier into accepting an input that is far from the property (except for with small probability). The verifier in an IPP system engages in two very different types of activities: interacting with an untrusted prover, and querying its input. The definition allows for arbitrary coordination between these two activities, but keeping them separate is both conceptually interesting and necessary for important applications such as addressing temporal considerations (i.e., at what time is each of the services available) and facilitating the construction of zero-knowledge schemes. In this work we embark on a systematic study of IPPs with proof-oblivious queries, where the queries should not be affected by the interaction with the prover. We assign the query and interaction activities to separate modules, and consider different limitations on their coordination. The most strict limitation requires these activities to be totally isolated from one another; they just feed their views to a separate deciding module. We show that such systems can be efficiently emulated by standard testers. Going to the other extreme, we only disallow information to flow from the interacting module to the querying module, but allow free information flow in the other direction. We show that extremely efficient one-round (i.e., two-message) systems of such type can be used to verify properties that are extremely hard to test (without the help of a prover). That is, the complexity of verifying can be polylogarithmic in the complexity of testing. This stands in contrast the MAPs (viewed as 1/2-round systems) in which proof-oblivious queries are as limited as our isolated model. Our focus is on an intermediate model that allows shared randomness between the querying and interacting modules but no information flow between them. In this case we show that 1-round systems are efficiently emulated by standard testers but 3/2-round systems of extremely low complexity exist for properties that are extremely hard to test. One additional result about this model is that it can efficiently emulate any IPP for any property of low-degree polynomials

    Concurrent Knowledge-Extraction in the Public-Key Model

    Get PDF
    Knowledge extraction is a fundamental notion, modelling machine possession of values (witnesses) in a computational complexity sense. The notion provides an essential tool for cryptographic protocol design and analysis, enabling one to argue about the internal state of protocol players without ever looking at this supposedly secret state. However, when transactions are concurrent (e.g., over the Internet) with players possessing public-keys (as is common in cryptography), assuring that entities ``know'' what they claim to know, where adversaries may be well coordinated across different transactions, turns out to be much more subtle and in need of re-examination. Here, we investigate how to formally treat knowledge possession by parties (with registered public-keys) interacting over the Internet. Stated more technically, we look into the relative power of the notion of ``concurrent knowledge-extraction'' (CKE) in the concurrent zero-knowledge (CZK) bare public-key (BPK) model.Comment: 38 pages, 4 figure

    On Efficient Zero-Knowledge Arguments

    Get PDF

    Transparent SNARKs from DARK Compilers

    Get PDF
    We construct a new polynomial commitment scheme for univariate and multivariate polynomials over finite fields, with logarithmic size evaluation proofs and verification time, measured in the number of coefficients of the polynomial. The underlying technique is a Diophantine Argument of Knowledge (DARK), leveraging integer representations of polynomials and groups of unknown order. Security is shown from the strong RSA and the adaptive root assumptions. Moreover, the scheme does not require a trusted setup if instantiated with class groups. We apply this new cryptographic compiler to a restricted class of algebraic linear IOPs, which we call Polynomial IOPs, to obtain doubly-efficient public-coin interactive arguments of knowledge for any NP relation with succinct communication. With linear preprocessing, the online verifier\u27s work is logarithmic in the circuit complexity of the relation. There are many existing examples of Polynomial IOPs (PIOPs) dating back to the first PCP (BFLS, STOC\u2791). We present a generic compilation of any PIOP using our DARK polynomial commitment scheme. In particular, compiling the PIOP from PLONK (GWC, ePrint\u2719), an improvement on Sonic (MBKM, CCS\u2719), yields a public-coin interactive argument with quasi-linear preprocessing, quasi-linear (online) prover time, logarithmic communication, and logarithmic (online) verification time in the circuit size. Applying Fiat-Shamir results in a SNARK, which we call *Supersonic*. Supersonic is also concretely efficient with 10KB proofs and under 100ms verification time for circuits with 1 million gates (estimated for 120-bit security). Most importantly, this SNARK is transparent: it does not require a trusted setup. We obtain zk-SNARKs by applying a hiding variant of our polynomial commitment scheme with zero-knowledge evaluations. Supersonic is the first complete zk-SNARK system that has both a practical prover time as well as asymptotically logarithmic proof size and verification time. The original proof had a significant gap that was discovered by Block et al. (CRYPTO 2021). The new security proof closes the gap and shows that the original protocol with a slightly adjusted parameter is still secure. Towards this goal, we introduce the notion of almost-special-sound protocols which likely has broader applications

    Public-Coin Zero-Knowledge Arguments with (almost) Minimal Time and Space Overheads

    Get PDF
    Zero-knowledge protocols enable the truth of a mathematical statement to be certified by a verifier without revealing any other information. Such protocols are a cornerstone of modern cryptography and recently are becoming more and more practical. However, a major bottleneck in deployment is the efficiency of the prover and, in particular, the space-efficiency of the protocol. For every NP\mathsf{NP} relation that can be verified in time TT and space SS, we construct a public-coin zero-knowledge argument in which the prover runs in time Tpolylog(T)T \cdot \mathrm{polylog}(T) and space Spolylog(T)S \cdot \mathrm{polylog}(T). Our proofs have length polylog(T)\mathrm{polylog}(T) and the verifier runs in time Tpolylog(T)T \cdot \mathrm{polylog}(T) (and space polylog(T)\mathrm{polylog}(T)). Our scheme is in the random oracle model and relies on the hardness of discrete log in prime-order groups. Our main technical contribution is a new space efficient polynomial commitment scheme for multi-linear polynomials. Recall that in such a scheme, a sender commits to a given multi-linear polynomial P ⁣:FnFP \colon \mathbb{F}^n \rightarrow \mathbb{F} so that later on it can prove to a receiver statements of the form P(x)=yP(x) = y . In our scheme, which builds on the commitment schemes of Bootle et al. (Eurocrypt 2016) and Bünz et al. (S&P 2018), we assume that the sender is given multi-pass streaming access to the evaluations of PP on the Boolean hypercube and w show how to implement both the sender and receiver in roughly time 2n2^n and space nn and with communication complexity roughly nn

    Dynamic Extraction of Multi-Round Knowledge Argument Systems

    Get PDF
    Bulletproofs sind ein beliebtes auf der diskreten Logarithmus-Annahme basierendes Beweissystem. Dieses kann unter anderem verwendet werden, um vertrauliche Transaktionen auf Blockchains zu ermöglichen. Die Hauptkomponente davon ist das sogenannte Inner Product Argument, bei welchem für zwei Vektoren, auf welche Commitments bekannt sind, bewiesen wird, dass diese ein bestimmtes Skalarprodukt besitzen. Dabei wird nur eine logarithmische Rundenanzahl in der Länge der Vektoren benötigt mit einer geringen, konstanten Anzahl an zu sendenden Elementen. Um Knowledge Soundness für diese Protokolle zu beweisen, muss ein Emulator angegeben werden. Dieser baut gewöhnlicherweise zuerst einen Transkriptbaum auf und nutzt diesen dann, um die Vektoren als Zeugen zu extrahieren. Da das Beweissystem auf der diskreten Logarithmus-Annahme basiert, liefert die Extraktion also entweder einen diskreten Logarithmus oder Vektoren, die die Commitments öffnen. Hoffmann, Klooß und Rupp [8] haben bemerkt, dass beim Extraktionsprozess nie der gesamte Transkriptbaum benötigt wird. Im Falle einer erfolgreichen Vektorextraktion werden nur eine lineare Anzahl an Transkripten in der Größe des Zeugen verwendet; wenn ein diskreter Logarithmus gefunden wurde, benötigt man eine quasi-lineare Anzahl. Dies ist deutlich besser als die quadratische Anzahl an Transkripten aus dem Bulletproof-Papier [5]. Um diese Beob achtung nutzen zu können, wird ein dynamischer Zugriff auf den Transkriptbaum benötigt. Dieses Problem haben die Autoren für weitere Forschung offen gelassen. Diese Masterarbeit beschäftigt sich damit, wie ein solcher dynamischer Zugriff auf den Transkriptbaum aussehen könnte: Zuerst wird eine Abstraktion des Transkriptanfrageverhal- tens des Extraktors formuliert, anhand derer dann die Grenzen der bisherigen Beweisstrategie aufgezeigt werden. Außerdem werden das Inner Product Argument und dessen Extraktion konkretisiert und bewiesen. Zum Abschluss wird ein formelles Framework für die Beschreibung der dynamischen Extraktion und des dynamischen Transkriptbaumaufbaus aufgezeigt und wichtige Eigenschaften desselben bewiesen

    Black-Box Wallets: Fast Anonymous Two-Way Payments for Constrained Devices

    Get PDF
    Black-box accumulation (BBA) is a building block which enables a privacy-preserving implementation of point collection and redemption, a functionality required in a variety of user-centric applications including loyalty programs, incentive systems, and mobile payments. By definition, BBA+ schemes (Hartung et al. CCS \u2717) offer strong privacy and security guarantees, such as unlinkability of transactions and correctness of the balance flows of all (even malicious) users. Unfortunately, the instantiation of BBA+ presented at CCS \u2717 is, on modern smartphones, just fast enough for comfortable use. It is too slow for wearables, let alone smart-cards. Moreover, it lacks a crucial property: For the sake of efficiency, the user\u27s balance is presented in the clear when points are deducted. This may allow to track owners by just observing revealed balances, even though privacy is otherwise guaranteed. The authors intentionally forgo the use of costly range proofs, which would remedy this problem. We present an instantiation of BBA+ with some extensions following a different technical approach which significantly improves efficiency. To this end, we get rid of pairing groups, rely on different zero-knowledge and fast range proofs, along with a slightly modified version of Baldimtsi-Lysyanskaya blind signatures (CCS \u2713). Our prototype implementation with range proofs (for 16-bit balances) outperforms BBA+ without range proofs by a factor of 2.5. Moreover, we give estimates showing that smart-card implementations are within reach
    corecore